diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
commit | 4f5791ebd03eaec1c7da0865a383175b05102712 (patch) | |
tree | 8ce7b00f7a76baa386372422adebbe64510812d4 /docs-xml/smbdotconf/security | |
parent | Initial commit. (diff) | |
download | samba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip |
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'docs-xml/smbdotconf/security')
108 files changed, 3829 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/security/accessbasedshareenum.xml b/docs-xml/smbdotconf/security/accessbasedshareenum.xml new file mode 100644 index 0000000..4557465 --- /dev/null +++ b/docs-xml/smbdotconf/security/accessbasedshareenum.xml @@ -0,0 +1,19 @@ +<samba:parameter name="access based share enum" + type="boolean" + context="S" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + <description> + <para>If this parameter is <constant>yes</constant> for a + service, then the share hosted by the service will only be visible + to users who have read or write access to the share during share + enumeration (for example net view \\sambaserver). The share ACLs + which allow or deny the access to the share can be modified using + for example the <command moreinfo="none">sharesec</command> command + or using the appropriate Windows tools. This has + parallels to access based enumeration, the main difference being + that only share permissions are evaluated, and security + descriptors on files contained on the share are not used in + computing enumeration access rights.</para> + </description> + <value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml b/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml new file mode 100644 index 0000000..676d5b4 --- /dev/null +++ b/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml @@ -0,0 +1,30 @@ +<samba:parameter name="acl flag inherited canonicalization" + context="S" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This option controls the way Samba handles client requests setting + the Security Descriptor of files and directories and the effect the + operation has on the Security Descriptor flag "DACL + auto-inherited" (DI). Generally, this flag is set on a file (or + directory) upon creation if the parent directory has DI set and also has + inheritable ACEs. + </para> + + <para>On the other hand when a Security Descriptor is explicitly set on + a file, the DI flag is cleared, unless the flag "DACL Inheritance + Required" (DR) is also set in the new Security Descriptor (fwiw, DR is + never stored on disk).</para> + + <para>This is the default behaviour when this option is enabled (the + default). When setting this option to <command>no</command>, the + resulting value of the DI flag on-disk is directly taken from the DI + value of the to-be-set Security Descriptor. This can be used so dump + tools like rsync that copy data blobs from xattrs that represent ACLs + created by the acl_xattr VFS module will result in copies of the ACL + that are identical to the source. Without this option, the copied ACLs + would all loose the DI flag if set on the source.</para> +</description> + +<value type="default">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/aclgroupcontrol.xml b/docs-xml/smbdotconf/security/aclgroupcontrol.xml new file mode 100644 index 0000000..eeec434 --- /dev/null +++ b/docs-xml/smbdotconf/security/aclgroupcontrol.xml @@ -0,0 +1,45 @@ +<samba:parameter name="acl group control" + context="S" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions + and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the + <emphasis>primary group owner</emphasis> of a file or directory to modify the permissions and ACLs + on that file. + </para> + <para> + On a Windows server, groups may be the owner of a file or directory - thus allowing anyone in + that group to modify the permissions on it. This allows the delegation of security controls + on a point in the filesystem to the group owner of a directory and anything below it also owned + by that group. This means there are multiple people with permissions to modify ACLs on a file + or directory, easing manageability. + </para> + <para> + This parameter allows Samba to also permit delegation of the control over a point in the exported + directory hierarchy in much the same way as Windows. This allows all members of a UNIX group to + control the permissions on a file or directory they have group ownership on. + </para> + + <para> + This parameter is best used with the <smbconfoption name="inherit owner"/> option and also + on a share containing directories with the UNIX <emphasis>setgid bit</emphasis> set + on them, which causes new files and directories created within it to inherit the group + ownership from the containing directory. + </para> + + <para> + This parameter was deprecated in Samba 3.0.23, but re-activated in + Samba 3.0.31 and above, as it now only controls permission changes if the user + is in the owning primary group. It is now no longer equivalent to the + <parameter moreinfo="none">dos filemode</parameter> option. + </para> + +</description> + +<related>inherit owner</related> +<related>inherit permissions</related> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/adminusers.xml b/docs-xml/smbdotconf/security/adminusers.xml new file mode 100644 index 0000000..5e0f60c --- /dev/null +++ b/docs-xml/smbdotconf/security/adminusers.xml @@ -0,0 +1,18 @@ +<samba:parameter name="admin users" + context="S" + type="cmdlist" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This is a list of users who will be granted + administrative privileges on the share. This means that they + will do all file operations as the super-user (root).</para> + + <para>You should use this option very carefully, as any user in + this list will be able to do anything they like on the share, + irrespective of file permissions.</para> + +</description> + +<value type="default"/> +<value type="example">jason</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/algorithmicridbase.xml b/docs-xml/smbdotconf/security/algorithmicridbase.xml new file mode 100644 index 0000000..a5eba3c --- /dev/null +++ b/docs-xml/smbdotconf/security/algorithmicridbase.xml @@ -0,0 +1,26 @@ +<samba:parameter name="algorithmic rid base" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This determines how Samba will use its + algorithmic mapping from uids/gid to the RIDs needed to construct + NT Security Identifiers. + </para> + + <para>Setting this option to a larger value could be useful to sites + transitioning from WinNT and Win2k, as existing user and + group rids would otherwise clash with system users etc. + </para> + + <para>All UIDs and GIDs must be able to be resolved into SIDs for + the correct operation of ACLs on the server. As such the algorithmic + mapping can't be 'turned off', but pushing it 'out of the way' should + resolve the issues. Users and groups can then be assigned 'low' RIDs + in arbitrary-rid supporting backends. + </para> +</description> + +<value type="default">1000</value> +<value type="example">100000</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml new file mode 100644 index 0000000..8bccab3 --- /dev/null +++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml @@ -0,0 +1,27 @@ +<samba:parameter name="allow dcerpc auth level connect" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This option controls whether DCERPC services are allowed to + be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, + but no per message integrity nor privacy protection.</para> + + <para>Some interfaces like samr, lsarpc and netlogon have a hard-coded default of + <constant>no</constant> and epmapper, mgmt and rpcecho have a hard-coded default of + <constant>yes</constant>. + </para> + + <para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc, + winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para> + + <para>This option is over-ridden by the implementation specific restrictions. + E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. + The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY. + </para> +</description> + +<value type="default">no</value> +<value type="example">yes</value> + +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/allowtrusteddomains.xml b/docs-xml/smbdotconf/security/allowtrusteddomains.xml new file mode 100644 index 0000000..3617210 --- /dev/null +++ b/docs-xml/smbdotconf/security/allowtrusteddomains.xml @@ -0,0 +1,25 @@ +<samba:parameter name="allow trusted domains" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This option only takes effect when the <smbconfoption name="security"/> option is set to + <constant>server</constant>, <constant>domain</constant> or <constant>ads</constant>. + If it is set to no, then attempts to connect to a resource from + a domain or workgroup other than the one which smbd is running + in will fail, even if that domain is trusted by the remote server + doing the authentication.</para> + + <para>This is useful if you only want your Samba server to + serve resources to users in the domain it is a member of. As + an example, suppose that there are two domains DOMA and DOMB. DOMB + is trusted by DOMA, which contains the Samba server. Under normal + circumstances, a user with an account in DOMB can then access the + resources of a UNIX account with the same account name on the + Samba server even if they do not have an account in DOMA. This + can make implementing a security boundary difficult.</para> +</description> + +<value type="default">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/binddnsdir.xml b/docs-xml/smbdotconf/security/binddnsdir.xml new file mode 100644 index 0000000..a948cb5 --- /dev/null +++ b/docs-xml/smbdotconf/security/binddnsdir.xml @@ -0,0 +1,17 @@ +<samba:parameter name="binddns dir" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<synonym>bind dns directory</synonym> +<description> + <para> + This parameters defines the directory samba will use to store the configuration + files for bind, such as named.conf. + + NOTE: The bind dns directory needs to be on the same mount point as the private + directory! + </para> +</description> + +<value type="default">&pathconfig.BINDDNS_DIR;</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/checkpasswordscript.xml b/docs-xml/smbdotconf/security/checkpasswordscript.xml new file mode 100644 index 0000000..18aa2c6 --- /dev/null +++ b/docs-xml/smbdotconf/security/checkpasswordscript.xml @@ -0,0 +1,43 @@ +<samba:parameter name="check password script" + context="G" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>The name of a program that can be used to check password + complexity. The password is sent to the program's standard input.</para> + + <para>The program must return 0 on a good password, or any other value + if the password is bad. + In case the password is considered weak (the program does not return 0) the + user will be notified and the password change will fail.</para> + + <para>In Samba AD, this script will be run <emphasis>AS ROOT</emphasis> by + <citerefentry><refentrytitle>samba</refentrytitle> <manvolnum>8</manvolnum> + </citerefentry> without any substitutions.</para> + + <para>Note that starting with Samba 4.11 the following environment variables are exported to the script:</para> + + <itemizedlist> + <listitem><para> + SAMBA_CPS_ACCOUNT_NAME is always present and contains the sAMAccountName of user, + the is the same as the %u substitutions in the none AD DC case. + </para></listitem> + + <listitem><para> + SAMBA_CPS_USER_PRINCIPAL_NAME is optional in the AD DC case if the userPrincipalName is present. + </para></listitem> + + <listitem><para> + SAMBA_CPS_FULL_NAME is optional if the displayName is present. + </para></listitem> + </itemizedlist> + + <para>Note: In the example directory is a sample program called <command moreinfo="none">crackcheck</command> + that uses cracklib to check the password quality.</para> + +</description> + +<value type="default"><comment>Disabled</comment></value> +<value type="example">/usr/local/sbin/crackcheck</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/clientipcsigning.xml b/docs-xml/smbdotconf/security/clientipcsigning.xml new file mode 100644 index 0000000..efbf17a --- /dev/null +++ b/docs-xml/smbdotconf/security/clientipcsigning.xml @@ -0,0 +1,26 @@ +<samba:parameter name="client ipc signing" + context="G" + type="enum" + function="_client_ipc_signing" + enumlist="enum_smb_signing_vals" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This controls whether the client is allowed or required to use SMB signing for IPC$ + connections as DCERPC transport. Possible values + are <emphasis>desired</emphasis>, <emphasis>required</emphasis> + and <emphasis>disabled</emphasis>. + </para> + + <para>When set to required or default, SMB signing is mandatory.</para> + + <para>When set to desired, SMB signing is offered, but not enforced and if set + to disabled, SMB signing is not offered either.</para> + + <para>Connections from winbindd to Active Directory Domain Controllers + always enforce signing.</para> +</description> + +<related>client signing</related> + +<value type="default">default</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/clientlanmanauth.xml b/docs-xml/smbdotconf/security/clientlanmanauth.xml new file mode 100644 index 0000000..60e1c86 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientlanmanauth.xml @@ -0,0 +1,36 @@ +<samba:parameter name="client lanman auth" + context="G" + type="boolean" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter has been deprecated since Samba 4.13 and + support for LanMan (as distinct from NTLM, NTLMv2 or + Kerberos) authentication as a client + will be removed in a future Samba release.</para> + <para>That is, in the future, the current default of + <command>client NTLMv2 auth = yes</command> + will be the enforced behaviour.</para> + + <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> and other samba client + tools will attempt to authenticate itself to servers using the + weaker LANMAN password hash. If disabled, only server which support NT + password hashes (e.g. Windows NT/2000, Samba, etc... but not + Windows 95/98) will be able to be connected from the Samba client.</para> + + <para>The LANMAN encrypted response is easily broken, due to its + case-insensitive nature, and the choice of algorithm. Clients + without Windows 95/98 servers are advised to disable + this option. </para> + + <para>Disabling this option will also disable the <command + moreinfo="none">client plaintext auth</command> option.</para> + + <para>Likewise, if the <command moreinfo="none">client ntlmv2 + auth</command> parameter is enabled, then only NTLMv2 logins will be + attempted.</para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/clientntlmv2auth.xml b/docs-xml/smbdotconf/security/clientntlmv2auth.xml new file mode 100644 index 0000000..9b47944 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml @@ -0,0 +1,46 @@ +<samba:parameter name="client NTLMv2 auth" + context="G" + type="boolean" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter has been deprecated since Samba 4.13 and + support for NTLM and LanMan (as distinct from NTLMv2 or + Kerberos authentication) + will be removed in a future Samba release.</para> + <para>That is, in the future, the current default of + <command>client NTLMv2 auth = yes</command> + will be the enforced behaviour.</para> + + <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> will attempt to + authenticate itself to servers using the NTLMv2 encrypted password + response.</para> + + <para>If enabled, only an NTLMv2 and LMv2 response (both much more + secure than earlier versions) will be sent. Older servers + (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with + NTLMv2 when not in an NTLMv2 supporting domain</para> + + <para>Similarly, if enabled, NTLMv1, <command + moreinfo="none">client lanman auth</command> and <command + moreinfo="none">client plaintext auth</command> + authentication will be disabled. This also disables share-level + authentication. </para> + + <para>If disabled, an NTLM response (and possibly a LANMAN response) + will be sent by the client, depending on the value of <command + moreinfo="none">client lanman auth</command>. </para> + + <para>Note that Windows Vista and later versions already use + NTLMv2 by default, and some sites (particularly those following + 'best practice' security polices) only allow NTLMv2 responses, and + not the weaker LM or NTLM.</para> + + <para>When <smbconfoption name="client use spnego"/> is also set to + <constant>yes</constant> extended security (SPNEGO) is required + in order to use NTLMv2 only within NTLMSSP. This behavior was + introduced with the patches for CVE-2016-2111.</para> +</description> +<value type="default">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/clientplaintextauth.xml b/docs-xml/smbdotconf/security/clientplaintextauth.xml new file mode 100644 index 0000000..5a51c33 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientplaintextauth.xml @@ -0,0 +1,20 @@ +<samba:parameter name="client plaintext auth" + context="G" + type="boolean" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter has been deprecated since Samba 4.13 and + support for plaintext (as distinct from NTLM, NTLMv2 or + Kerberos authentication) + will be removed in a future Samba release.</para> + <para>That is, in the future, the current default of + <command>client plaintext auth = no</command> + will be the enforced behaviour.</para> + + <para>Specifies whether a client should send a plaintext + password if the server does not support encrypted passwords.</para> +</description> +<value type="default">no</value> +</samba:parameter> + diff --git a/docs-xml/smbdotconf/security/clientprotection.xml b/docs-xml/smbdotconf/security/clientprotection.xml new file mode 100644 index 0000000..347b004 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientprotection.xml @@ -0,0 +1,51 @@ +<samba:parameter name="client protection" + context="G" + type="enum" + enumlist="enum_client_protection_vals" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter defines which protection Samba client + tools should use by default. + </para> + + <para>Possible client settings are:</para> + <itemizedlist> + <listitem> + <para> + <emphasis>default</emphasis> - Use the individual + default values of the options: + <itemizedlist> + <listitem><para><parameter>client signing</parameter></para></listitem> + <listitem><para><parameter>client smb encrypt</parameter></para></listitem> + </itemizedlist> + </para> + </listitem> + + <listitem> + <para> + <emphasis>plain</emphasis> - This will send + everything just as plaintext, signing or + encryption are turned off. + </para> + </listitem> + + <listitem> + <para> + <emphasis>sign</emphasis> - This will enable + integrity checking. + </para> + </listitem> + + <listitem> + <para> + <emphasis>encrypt</emphasis> - This will enable + integrity checks and force encryption for + privacy. + </para> + </listitem> + </itemizedlist> +</description> + +<value type="default">default</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml new file mode 100644 index 0000000..d124ad4 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientschannel.xml @@ -0,0 +1,30 @@ +<samba:parameter name="client schannel" + context="G" + type="enum" + enumlist="enum_bool_auto" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para> + This option is deprecated with Samba 4.8 and will be removed in future. + At the same time the default changed to yes, which will be the + hardcoded behavior in future. + </para> + + <para> + This controls whether the client offers or even demands the use of the netlogon schannel. + <smbconfoption name="client schannel">no</smbconfoption> does not offer the schannel, + <smbconfoption name="client schannel">auto</smbconfoption> offers the schannel but does not + enforce it, and <smbconfoption name="client schannel">yes</smbconfoption> denies access + if the server is not able to speak netlogon schannel. + </para> + + <para>Note that for active directory domains this is hardcoded to + <smbconfoption name="client schannel">yes</smbconfoption>.</para> + + <para>This option is over-ridden by the <smbconfoption name="require strong key"/> option.</para> +</description> +<value type="default">yes</value> +<value type="example">auto</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/clientsigning.xml b/docs-xml/smbdotconf/security/clientsigning.xml new file mode 100644 index 0000000..bd92818 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientsigning.xml @@ -0,0 +1,24 @@ +<samba:parameter name="client signing" + context="G" + type="enum" + enumlist="enum_smb_signing_vals" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This controls whether the client is allowed or required to use SMB signing. Possible values + are <emphasis>desired</emphasis>, <emphasis>required</emphasis> + and <emphasis>disabled</emphasis>. + </para> + + <para>When set to desired or default, SMB signing is offered, but not enforced.</para> + + <para>When set to required, SMB signing is mandatory and if set + to disabled, SMB signing is not offered either.</para> + + <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the + <smbconfoption name="client ipc signing"/> option.</para> +</description> + +<related>client ipc signing</related> + +<value type="default">default</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/clientsmbencrypt.xml b/docs-xml/smbdotconf/security/clientsmbencrypt.xml new file mode 100644 index 0000000..05df152 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientsmbencrypt.xml @@ -0,0 +1,126 @@ +<samba:parameter name="client smb encrypt" + context="G" + type="enum" + enumlist="enum_smb_encryption_vals" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter controls whether a client should try or is required + to use SMB encryption. It has different effects depending on whether + the connection uses SMB1 or SMB3: + </para> + + <itemizedlist> + <listitem> + <para> + If the connection uses SMB1, then this option controls the use + of a Samba-specific extension to the SMB protocol introduced in + Samba 3.2 that makes use of the Unix extensions. + </para> + </listitem> + + <listitem> + <para> + If the connection uses SMB2 or newer, then this option controls + the use of the SMB-level encryption that is supported in SMB + version 3.0 and above and available in Windows 8 and newer. + </para> + </listitem> + </itemizedlist> + + <para> + This parameter can be set globally. Possible values are + + <emphasis>off</emphasis>, + <emphasis>if_required</emphasis>, + <emphasis>desired</emphasis>, + and + <emphasis>required</emphasis>. + A special value is <emphasis>default</emphasis> which is + the implicit default setting of <emphasis>if_required</emphasis>. + </para> + + <variablelist> + <varlistentry> + <term><emphasis>Effects for SMB1</emphasis></term> + <listitem> + <para> + The Samba-specific encryption of SMB1 connections is an + extension to the SMB protocol negotiated as part of the UNIX + extensions. SMB encryption uses the GSSAPI (SSPI on Windows) + ability to encrypt and sign every request/response in a SMB + protocol stream. When enabled it provides a secure method of + SMB/CIFS communication, similar to an ssh protected session, but + using SMB/CIFS authentication to negotiate encryption and + signing keys. Currently this is only supported smbclient of by + Samba 3.2 and newer. Windows does not support this feature. + </para> + + <para> + When set to default, SMB encryption is probed, but not + enforced. When set to required, SMB encryption is required and + if set to disabled, SMB encryption can not be negotiated. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>Effects for SMB3 and newer</emphasis></term> + <listitem> + <para> + Native SMB transport encryption is available in SMB version 3.0 + or newer. It is only used by Samba if + <emphasis>client max protocol</emphasis> is set to + <emphasis>SMB3</emphasis> or newer. + </para> + + <para> + These features can be controlled with settings of + <emphasis>client smb encrypt</emphasis> as follows: + </para> + + <itemizedlist> + <listitem> + <para> + Leaving it as default, explicitly setting + <emphasis>default</emphasis>, or setting it to + <emphasis>if_required</emphasis> globally will enable + negotiation of encryption but will not turn on + data encryption globally. + </para> + </listitem> + + <listitem> + <para> + Setting it to <emphasis>desired</emphasis> globally + will enable negotiation and will turn on data encryption + on sessions and share connections for those servers + that support it. + </para> + </listitem> + + <listitem> + <para> + Setting it to <emphasis>required</emphasis> globally + will enable negotiation and turn on data encryption + on sessions and share connections. Clients that do + not support encryption will be denied access to the + server. + </para> + </listitem> + + <listitem> + <para> + Setting it to <emphasis>off</emphasis> globally will + completely disable the encryption feature for all + connections. + </para> + </listitem> + </itemizedlist> + </listitem> + </varlistentry> + </variablelist> +</description> + +<value type="default">default</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml b/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml new file mode 100644 index 0000000..78df3f9 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml @@ -0,0 +1,21 @@ +<samba:parameter name="client smb3 encryption algorithms" + context="G" + type="list" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter specifies the availability and order of + encryption algorithms which are available for negotiation in the SMB3_11 dialect. + </para> + <para>It is also possible to remove individual algorithms from the default list, + by prefixing them with '-'. This can avoid having to specify a hardcoded list. + </para> + <para>Note: that the removal of AES-128-CCM from the list will result + in SMB3_00 and SMB3_02 being unavailable, as it is the default and only + available algorithm for these dialects. + </para> +</description> + +<value type="default">AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM</value> +<value type="example">AES-256-GCM</value> +<value type="example">-AES-128-GCM -AES-128-CCM</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml b/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml new file mode 100644 index 0000000..f7c61f3 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml @@ -0,0 +1,22 @@ +<samba:parameter name="client smb3 signing algorithms" + context="G" + type="list" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter specifies the availability and order of + signing algorithms which are available for negotiation in the SMB3_11 dialect. + </para> + <para>It is also possible to remove individual algorithms from the default list, + by prefixing them with '-'. This can avoid having to specify a hardcoded list. + </para> + <para>Note: that the removal of AES-128-CMAC from the list will result + in SMB3_00 and SMB3_02 being unavailable, and the removal of HMAC-SHA256 + will result in SMB2_02 and SMB2_10 being unavailable, as these are the default and only + available algorithms for these dialects. + </para> +</description> + +<value type="default">AES-128-GMAC, AES-128-CMAC, HMAC-SHA256</value> +<value type="example">AES-128-CMAC, HMAC-SHA256</value> +<value type="example">-AES-128-CMAC</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/clientusekerberos.xml b/docs-xml/smbdotconf/security/clientusekerberos.xml new file mode 100644 index 0000000..ad35dcf --- /dev/null +++ b/docs-xml/smbdotconf/security/clientusekerberos.xml @@ -0,0 +1,49 @@ +<samba:parameter name="client use kerberos" + context="G" + type="enum" + function="_client_use_kerberos" + enumlist="enum_use_kerberos_vals" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter determines whether Samba client tools will try + to authenticate using Kerberos. For Kerberos authentication you + need to use dns names instead of IP addresses when connecting + to a service. + </para> + + <para>Possible option settings are:</para> + <itemizedlist> + <listitem> + <para> + <emphasis>desired</emphasis> - Kerberos + authentication will be tried first and if it fails it + automatically fallback to NTLM. + </para> + </listitem> + + <listitem> + <para> + <emphasis>required</emphasis> - Kerberos + authentication will be required. There will be no + falllback to NTLM or a different alternative. + </para> + </listitem> + + <listitem> + <para> + <emphasis>off</emphasis> - Don't use + Kerberos, use NTLM instead or another + alternative. + </para> + </listitem> + </itemizedlist> + + <para> + In case that weak cryptography is not allowed (e.g. FIPS mode) + the default will be forced to <emphasis>required</emphasis>. + </para> +</description> + +<value type="default">desired</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml new file mode 100644 index 0000000..8e9edd2 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml @@ -0,0 +1,35 @@ +<samba:parameter name="client use spnego principal" + context="G" + type="boolean" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter determines whether or not + <citerefentry><refentrytitle>smbclient</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> and other samba components + acting as a client will attempt to use the server-supplied + principal sometimes given in the SPNEGO exchange.</para> + + <para>If enabled, Samba can attempt to use Kerberos to contact + servers known only by IP address. Kerberos relies on names, so + ordinarily cannot function in this situation. </para> + + <para>This is a VERY BAD IDEA for security reasons, and so this + parameter SHOULD NOT BE USED. It will be removed in a future + version of Samba.</para> + + <para>If disabled, Samba will use the name used to look up the + server when asking the KDC for a ticket. This avoids situations + where a server may impersonate another, soliciting authentication + as one principal while being known on the network as another. + </para> + + <para>Note that Windows XP SP2 and later versions already follow + this behaviour, and Windows Vista and later servers no longer + supply this 'rfc4178 hint' principal on the server side.</para> + + <para>This parameter is deprecated in Samba 4.2.1 and will be removed + (along with the functionality) in a later release of Samba.</para> +</description> +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/createmask.xml b/docs-xml/smbdotconf/security/createmask.xml new file mode 100644 index 0000000..06ee896 --- /dev/null +++ b/docs-xml/smbdotconf/security/createmask.xml @@ -0,0 +1,37 @@ +<samba:parameter name="create mask" + context="S" + type="octal" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + +<synonym>create mode</synonym> +<description> + <para> + When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to + UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may + be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis> set here will + be removed from the modes set on a file when it is created. + </para> + + <para> + The default value of this parameter removes the <literal>group</literal> and <literal>other</literal> + write and execute bits from the UNIX modes. + </para> + + <para> + Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the + <smbconfoption name="force create mode"/> parameter which is set to 000 by default. + </para> + + <para> + This parameter does not affect directory masks. See the parameter <smbconfoption name="directory mask"/> + for details. + </para> +</description> + +<related>force create mode</related> +<related>directory mode</related> +<related>inherit permissions</related> + +<value type="default">0744</value> +<value type="example">0775</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/debugencryption.xml b/docs-xml/smbdotconf/security/debugencryption.xml new file mode 100644 index 0000000..5b51b4a --- /dev/null +++ b/docs-xml/smbdotconf/security/debugencryption.xml @@ -0,0 +1,22 @@ +<samba:parameter name="debug encryption" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + <description> + <para> + This option will make the smbd server and client code using + libsmb (smbclient, smbget, smbspool, ...) dump the Session Id, + the decrypted Session Key, the Signing Key, the Application Key, + the Encryption Key and the Decryption Key every time an SMB3+ + session is established. This information will be printed in logs + at level 0. + </para> + <para> + Warning: access to these values enables the decryption of any + encrypted traffic on the dumped sessions. This option should + only be enabled for debugging purposes. + </para> + </description> + + <value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/dedicatedkeytabfile.xml b/docs-xml/smbdotconf/security/dedicatedkeytabfile.xml new file mode 100644 index 0000000..b7c2680 --- /dev/null +++ b/docs-xml/smbdotconf/security/dedicatedkeytabfile.xml @@ -0,0 +1,16 @@ +<samba:parameter name="dedicated keytab file" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + Specifies the absolute path to the kerberos keytab file when + <smbconfoption name="kerberos method"/> is set to "dedicated + keytab". + </para> +</description> +<related>kerberos method</related> +<value type="default"/> +<value type="example">/usr/local/etc/krb5.keytab</value> +</samba:parameter> + diff --git a/docs-xml/smbdotconf/security/directorymask.xml b/docs-xml/smbdotconf/security/directorymask.xml new file mode 100644 index 0000000..890092a --- /dev/null +++ b/docs-xml/smbdotconf/security/directorymask.xml @@ -0,0 +1,33 @@ +<samba:parameter name="directory mask" + context="S" + type="octal" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<synonym>directory mode</synonym> +<description> + <para>This parameter is the octal modes which are + used when converting DOS modes to UNIX modes when creating UNIX + directories.</para> + + <para>When a directory is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX permissions, + and the resulting UNIX mode is then bit-wise 'AND'ed with this + parameter. This parameter may be thought of as a bit-wise MASK for + the UNIX modes of a directory. Any bit <emphasis>not</emphasis> set + here will be removed from the modes set on a directory when it is + created.</para> + + <para>The default value of this parameter removes the 'group' + and 'other' write bits from the UNIX mode, allowing only the + user who owns the directory to modify it.</para> + + <para>Following this Samba will bit-wise 'OR' the UNIX mode + created from this parameter with the value of the <smbconfoption name="force directory mode"/> parameter. + This parameter is set to 000 by default (i.e. no extra mode bits are added).</para> +</description> + +<related>force directory mode</related> +<related>create mask</related> +<related>inherit permissions</related> +<value type="default">0755</value> +<value type="example">0775</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/directorysecuritymask.xml b/docs-xml/smbdotconf/security/directorysecuritymask.xml new file mode 100644 index 0000000..f02e4ff --- /dev/null +++ b/docs-xml/smbdotconf/security/directorysecuritymask.xml @@ -0,0 +1,12 @@ +<samba:parameter name="directory security mask" + context="S" + removed="1" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter has been removed for Samba 4.0.0. + </para> +</description> + +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/encryptpasswords.xml b/docs-xml/smbdotconf/security/encryptpasswords.xml new file mode 100644 index 0000000..4fdfa89 --- /dev/null +++ b/docs-xml/smbdotconf/security/encryptpasswords.xml @@ -0,0 +1,47 @@ +<samba:parameter name="encrypt passwords" + context="G" + type="boolean" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter has been deprecated since Samba 4.11 and + support for plaintext (as distinct from NTLM, NTLMv2 + or Kerberos authentication) + will be removed in a future Samba release.</para> + <para>That is, in the future, the current default of + <command>encrypt passwords = yes</command> + will be the enforced behaviour.</para> + <para>This boolean controls whether encrypted passwords + will be negotiated with the client. Note that Windows NT 4.0 SP3 and + above and also Windows 98 will by default expect encrypted passwords + unless a registry entry is changed. To use encrypted passwords in + Samba see the chapter "User Database" in the Samba HOWTO Collection. + </para> + + <para> + MS Windows clients that expect Microsoft encrypted passwords and that + do not have plain text password support enabled will be able to + connect only to a Samba server that has encrypted password support + enabled and for which the user accounts have a valid encrypted password. + Refer to the smbpasswd command man page for information regarding the + creation of encrypted passwords for user accounts. + </para> + + <para> + The use of plain text passwords is NOT advised as support for this feature + is no longer maintained in Microsoft Windows products. If you want to use + plain text passwords you must set this parameter to no. + </para> + + <para>In order for encrypted passwords to work correctly + <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> must either + have access to a local <citerefentry><refentrytitle>smbpasswd</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> file (see the <citerefentry><refentrytitle>smbpasswd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> program for information on how to set up + and maintain this file), or set the <smbconfoption name="security">[domain|ads]</smbconfoption> parameter which + causes <command moreinfo="none">smbd</command> to authenticate against another + server.</para> +</description> +<value type="default">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/forcecreatemode.xml b/docs-xml/smbdotconf/security/forcecreatemode.xml new file mode 100644 index 0000000..79e6e63 --- /dev/null +++ b/docs-xml/smbdotconf/security/forcecreatemode.xml @@ -0,0 +1,25 @@ +<samba:parameter name="force create mode" + context="S" + type="octal" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter specifies a set of UNIX mode bit + permissions that will <emphasis>always</emphasis> be set on a + file created by Samba. This is done by bitwise 'OR'ing these bits onto + the mode bits of a file that is being created. The default for this parameter is (in octal) + 000. The modes in this parameter are bitwise 'OR'ed onto the file + mode after the mask set in the <parameter moreinfo="none">create mask</parameter> + parameter is applied.</para> + + <para>The example below would force all newly created files to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'.</para> + +</description> + +<related>create mask</related> +<related>inherit permissions</related> + +<value type="default">0000</value> +<value type="example">0755</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/forcedirectorymode.xml b/docs-xml/smbdotconf/security/forcedirectorymode.xml new file mode 100644 index 0000000..aa8375a --- /dev/null +++ b/docs-xml/smbdotconf/security/forcedirectorymode.xml @@ -0,0 +1,25 @@ +<samba:parameter name="force directory mode" + context="S" + type="octal" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter specifies a set of UNIX mode bit + permissions that will <emphasis>always</emphasis> be set on a directory + created by Samba. This is done by bitwise 'OR'ing these bits onto the + mode bits of a directory that is being created. The default for this + parameter is (in octal) 0000 which will not add any extra permission + bits to a created directory. This operation is done after the mode + mask in the parameter <parameter moreinfo="none">directory mask</parameter> is + applied.</para> + + <para>The example below would force all created directories to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'.</para> +</description> + +<value type="default">0000</value> +<value type="example">0755</value> + +<related>directory mask</related> +<related>inherit permissions</related> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml new file mode 100644 index 0000000..fbd8e16 --- /dev/null +++ b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml @@ -0,0 +1,11 @@ +<samba:parameter name="force directory security mode" + context="S" + type="string" + removed="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter has been removed for Samba 4.0.0. + </para> +</description> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/forcegroup.xml b/docs-xml/smbdotconf/security/forcegroup.xml new file mode 100644 index 0000000..646f550 --- /dev/null +++ b/docs-xml/smbdotconf/security/forcegroup.xml @@ -0,0 +1,40 @@ +<samba:parameter name="force group" + context="S" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<synonym>group</synonym> +<description> + <para>This specifies a UNIX group name that will be + assigned as the default primary group for all users connecting + to this service. This is useful for sharing files by ensuring + that all access to files on service will use the named group for + their permissions checking. Thus, by assigning permissions for this + group to the files and directories within this service the Samba + administrator can restrict or allow sharing of these files.</para> + + <para>In Samba 2.0.5 and above this parameter has extended + functionality in the following way. If the group name listed here + has a '+' character prepended to it then the current user accessing + the share only has the primary group default assigned to this group + if they are already assigned as a member of that group. This allows + an administrator to decide that only users who are already in a + particular group will create files with group ownership set to that + group. This gives a finer granularity of ownership assignment. For + example, the setting <filename moreinfo="none">force group = +sys</filename> means + that only users who are already in group sys will have their default + primary group assigned to sys when accessing this Samba share. All + other users will retain their ordinary primary group.</para> + + <para> + If the <smbconfoption name="force user"/> parameter is also set the group specified in + <parameter moreinfo="none">force group</parameter> will override the primary group + set in <parameter moreinfo="none">force user</parameter>.</para> + +</description> + +<related>force user</related> + +<value type="default"/> +<value type="example">agroup</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/forcesecuritymode.xml b/docs-xml/smbdotconf/security/forcesecuritymode.xml new file mode 100644 index 0000000..5a9479e --- /dev/null +++ b/docs-xml/smbdotconf/security/forcesecuritymode.xml @@ -0,0 +1,11 @@ +<samba:parameter name="force security mode" + context="S" + type="string" + removed="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter has been removed for Samba 4.0.0. + </para> +</description> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/forceunknownacluser.xml b/docs-xml/smbdotconf/security/forceunknownacluser.xml new file mode 100644 index 0000000..c5aec53 --- /dev/null +++ b/docs-xml/smbdotconf/security/forceunknownacluser.xml @@ -0,0 +1,27 @@ +<samba:parameter name="force unknown acl user" + context="S" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + +<description> + <para> + If this parameter is set, a Windows NT ACL that contains an unknown SID (security descriptor, or + representation of a user or group id) as the owner or group owner of the file will be silently + mapped into the current UNIX uid or gid of the currently connected user. + </para> + + <para> + This is designed to allow Windows NT clients to copy files and folders containing ACLs that were + created locally on the client machine and contain users local to that machine only (no domain + users) to be copied to a Samba server (usually with XCOPY /O) and have the unknown userid and + groupid of the file owner map to the current connected user. This can only be fixed correctly + when winbindd allows arbitrary mapping from any Windows NT SID to a UNIX uid or gid. + </para> + + <para> + Try using this parameter when XCOPY /O gives an ACCESS_DENIED error. + </para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/forceuser.xml b/docs-xml/smbdotconf/security/forceuser.xml new file mode 100644 index 0000000..f3010a9 --- /dev/null +++ b/docs-xml/smbdotconf/security/forceuser.xml @@ -0,0 +1,28 @@ +<samba:parameter name="force user" + type="string" + context="S" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This specifies a UNIX user name that will be + assigned as the default user for all users connecting to this service. + This is useful for sharing files. You should also use it carefully + as using it incorrectly can cause security problems.</para> + + <para>This user name only gets used once a connection is established. + Thus clients still need to connect as a valid user and supply a + valid password. Once connected, all file operations will be performed + as the "forced user", no matter what username the client connected + as. This can be very useful.</para> + + <para>In Samba 2.0.5 and above this parameter also causes the + primary group of the forced user to be used as the primary group + for all file activity. Prior to 2.0.5 the primary group was left + as the primary group of the connecting user (this was a bug).</para> + +</description> + +<related>force group</related> +<value type="default"/> +<value type="example">auser</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/guestaccount.xml b/docs-xml/smbdotconf/security/guestaccount.xml new file mode 100644 index 0000000..2914630 --- /dev/null +++ b/docs-xml/smbdotconf/security/guestaccount.xml @@ -0,0 +1,27 @@ +<samba:parameter name="guest account" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This is a username which will be used for access + to services which are specified as <smbconfoption name="guest ok"/> (see below). Whatever privileges this + user has will be available to any client connecting to the guest service. + This user must exist in the password file, but does not require + a valid login. The user account "ftp" is often a good choice + for this parameter. + </para> + + <para>On some systems the default guest account "nobody" may not + be able to print. Use another account in this case. You should test + this by trying to log in as your guest user (perhaps by using the + <command moreinfo="none">su -</command> command) and trying to print using the + system print command such as <command moreinfo="none">lpr(1)</command> or <command moreinfo="none"> + lp(1)</command>.</para> + + <para>This parameter does not accept % macros, because + many parts of the system require this value to be + constant for correct operation.</para> +</description> +<value type="default">nobody<comment>default can be changed at compile-time</comment></value> +<value type="example">ftp</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/guestok.xml b/docs-xml/smbdotconf/security/guestok.xml new file mode 100644 index 0000000..390f1c3 --- /dev/null +++ b/docs-xml/smbdotconf/security/guestok.xml @@ -0,0 +1,19 @@ +<samba:parameter name="guest ok" + type="boolean" + context="S" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<synonym>public</synonym> +<description> + <para>If this parameter is <constant>yes</constant> for + a service, then no password is required to connect to the service. + Privileges will be those of the <smbconfoption name="guest account"/>.</para> + + <para>This parameter nullifies the benefits of setting + <smbconfoption name="restrict anonymous">2</smbconfoption> + </para> + + <para>See the section below on <smbconfoption name="security"/> for more information about this option. + </para> +</description> +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/guestonly.xml b/docs-xml/smbdotconf/security/guestonly.xml new file mode 100644 index 0000000..5660162 --- /dev/null +++ b/docs-xml/smbdotconf/security/guestonly.xml @@ -0,0 +1,15 @@ +<samba:parameter name="guest only" + context="S" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<synonym>only guest</synonym> +<description> + <para>If this parameter is <constant>yes</constant> for + a service, then only guest connections to the service are permitted. + This parameter will have no effect if <smbconfoption name="guest ok"/> is not set for the service.</para> + + <para>See the section below on <smbconfoption name="security"/> for more information about this option. + </para> +</description> +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/hostsallow.xml b/docs-xml/smbdotconf/security/hostsallow.xml new file mode 100644 index 0000000..8b4b622 --- /dev/null +++ b/docs-xml/smbdotconf/security/hostsallow.xml @@ -0,0 +1,62 @@ +<samba:parameter name="hosts allow" + context="S" + type="cmdlist" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<synonym>allow hosts</synonym> +<description> + <para>A synonym for this parameter is <smbconfoption name="allow hosts"/>.</para> + + <para>This parameter is a comma, space, or tab delimited + set of hosts which are permitted to access a service.</para> + + <para>If specified in the [global] section then it will + apply to all services, regardless of whether the individual + service has a different setting.</para> + + <para>You can specify the hosts by name or IP number. For + example, you could restrict access to only the hosts on a + Class C subnet with something like <command>allow hosts = 150.203.5.</command>. + The full syntax of the list is described in the man + page <filename>hosts_access(5)</filename>. Note that this man + page may not be present on your system, so a brief description will + be given here also.</para> + + <para>Note that the localhost address 127.0.0.1 will always + be allowed access unless specifically denied by a <smbconfoption name="hosts deny"/> option.</para> + + <para>You can also specify hosts by network/netmask pairs and + by netgroup names if your system supports netgroups. The + <emphasis>EXCEPT</emphasis> keyword can also be used to limit a + wildcard list. The following examples may provide some help:</para> + +<para>Example 1: allow all IPs in 150.203.*.*; except one</para> + + <para><command moreinfo="none">hosts allow = 150.203. EXCEPT 150.203.6.66</command></para> + + <para>Example 2: allow hosts that match the given network/netmask</para> + + <para><command moreinfo="none">hosts allow = 150.203.15.0/255.255.255.0</command></para> + + <para>Example 3: allow a couple of hosts</para> + + <para><command moreinfo="none">hosts allow = lapland, arvidsjaur</command></para> + + <para>Example 4: allow only hosts in NIS netgroup "foonet", but + deny access from one particular host</para> + + <para><command moreinfo="none">hosts allow = @foonet</command></para> + + <para><command moreinfo="none">hosts deny = pirate</command></para> + + <note><para>Note that access still requires suitable user-level passwords.</para></note> + + <para>See <citerefentry><refentrytitle>testparm</refentrytitle> + <manvolnum>1</manvolnum></citerefentry> for a way of testing your host access + to see if it does what you expect.</para> + + +</description> + +<value type="example">150.203.5. myhost.mynet.edu.au</value> +<value type="default"><comment>none (i.e., all hosts permitted access)</comment></value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/hostsdeny.xml b/docs-xml/smbdotconf/security/hostsdeny.xml new file mode 100644 index 0000000..cd2f8de --- /dev/null +++ b/docs-xml/smbdotconf/security/hostsdeny.xml @@ -0,0 +1,24 @@ +<samba:parameter name="hosts deny" + context="S" + type="cmdlist" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<synonym>deny hosts</synonym> +<description> + <para>The opposite of <parameter moreinfo="none">hosts allow</parameter> + - hosts listed here are <emphasis>NOT</emphasis> permitted access to + services unless the specific services have their own lists to override + this one. Where the lists conflict, the <parameter moreinfo="none">allow</parameter> + list takes precedence.</para> + + <para> + In the event that it is necessary to deny all by default, use the keyword + ALL (or the netmask <literal>0.0.0.0/0</literal>) and then explicitly specify + to the <smbconfoption name="hosts allow">hosts allow</smbconfoption> parameter those hosts + that should be permitted access. + </para> +</description> + +<value type="default"><comment>none (i.e., no hosts specifically excluded)</comment></value> + +<value type="example">150.203.4. badhost.mynet.edu.au</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/inheritacls.xml b/docs-xml/smbdotconf/security/inheritacls.xml new file mode 100644 index 0000000..4c6caef --- /dev/null +++ b/docs-xml/smbdotconf/security/inheritacls.xml @@ -0,0 +1,21 @@ +<samba:parameter name="inherit acls" + context="S" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter can be used to ensure that if default acls + exist on parent directories, they are always honored when creating a + new file or subdirectory in these parent directories. The default + behavior is to use the unix mode specified when creating the directory. + Enabling this option sets the unix mode to 0777, thus guaranteeing that + default directory acls are propagated. + + Note that using the VFS modules acl_xattr or acl_tdb which store native + Windows as meta-data will automatically turn this option on for any + share for which they are loaded, as they require this option to emulate + Windows ACLs correctly. +</para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/inheritowner.xml b/docs-xml/smbdotconf/security/inheritowner.xml new file mode 100644 index 0000000..2a7a4b8 --- /dev/null +++ b/docs-xml/smbdotconf/security/inheritowner.xml @@ -0,0 +1,58 @@ +<samba:parameter name="inherit owner" + context="S" + type="enum" + enumlist="enum_inherit_owner_vals" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>The ownership of new files and directories + is normally governed by effective uid of the connected user. + This option allows the Samba administrator to specify that + the ownership for new files and directories should be controlled + by the ownership of the parent directory.</para> + + <para>Valid options are:</para> + <itemizedlist> + <listitem><para><constant>no</constant> - + Both the Windows (SID) owner and the UNIX (uid) owner of the file are + governed by the identity of the user that created the file. + </para></listitem> + + <listitem><para><constant>windows and unix</constant> - + The Windows (SID) owner and the UNIX (uid) owner of new files and + directories are set to the respective owner of the parent directory. + </para></listitem> + + <listitem><para><constant>yes</constant> - a synonym for + <constant>windows and unix</constant>. + </para></listitem> + + <listitem><para><constant>unix only</constant> - + Only the UNIX owner is set to the UNIX owner of the parent directory. + </para></listitem> + </itemizedlist> + + <para>Common scenarios where this behavior is useful is in + implementing drop-boxes, where users can create and edit files but + not delete them and ensuring that newly created files in a user's + roaming profile directory are actually owned by the user.</para> + + <para>The <constant>unix only</constant> option effectively + breaks the tie between the Windows owner of a file and the + UNIX owner. As a logical consequence, in this mode, + setting the the Windows owner of a file does not modify the UNIX + owner. Using this mode should typically be combined with a + backing store that can emulate the full NT ACL model without + affecting the POSIX permissions, such as the acl_xattr + VFS module, coupled with + <smbconfoption name="acl_xattr:ignore system acls">yes</smbconfoption>. + This can be used to emulate folder quotas, when files are + exposed only via SMB (without UNIX extensions). + The UNIX owner of a directory is locally set + and inherited by all subdirectories and files, and they all + consume the same quota.</para> +</description> + +<related>inherit permissions</related> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/inheritpermissions.xml b/docs-xml/smbdotconf/security/inheritpermissions.xml new file mode 100644 index 0000000..9dda734 --- /dev/null +++ b/docs-xml/smbdotconf/security/inheritpermissions.xml @@ -0,0 +1,35 @@ +<samba:parameter name="inherit permissions" + context="S" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + The permissions on new files and directories are normally governed by <smbconfoption name="create mask"/>, + <smbconfoption name="directory mask"/>, <smbconfoption name="force create mode"/> and <smbconfoption + name="force directory mode"/> but the boolean inherit permissions parameter overrides this. + </para> + + <para>New directories inherit the mode of the parent directory, + including bits such as setgid.</para> + + <para> + New files inherit their read/write bits from the parent directory. Their execute bits continue to be + determined by <smbconfoption name="map archive"/>, <smbconfoption name="map hidden"/> and <smbconfoption + name="map system"/> as usual. + </para> + + <para>Note that the setuid bit is <emphasis>never</emphasis> set via + inheritance (the code explicitly prohibits this).</para> + + <para>This can be particularly useful on large systems with + many users, perhaps several thousand, to allow a single [homes] + share to be used flexibly by each user.</para> +</description> + +<related>create mask</related> +<related>directory mask</related> +<related>force create mode</related> +<related>force directory mode</related> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/invalidusers.xml b/docs-xml/smbdotconf/security/invalidusers.xml new file mode 100644 index 0000000..b2fb2b9 --- /dev/null +++ b/docs-xml/smbdotconf/security/invalidusers.xml @@ -0,0 +1,34 @@ +<samba:parameter name="invalid users" + context="S" + type="cmdlist" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This is a list of users that should not be allowed + to login to this service. This is really a <emphasis>paranoid</emphasis> + check to absolutely ensure an improper setting does not breach + your security.</para> + + <para>A name starting with a '@' is interpreted as an NIS + netgroup first (if your system supports NIS), and then as a UNIX + group if the name was not found in the NIS netgroup database.</para> + + <para>A name starting with '+' is interpreted only + by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with + '&' is interpreted only by looking in the NIS netgroup database + (this requires NIS to be working on your system). The characters + '+' and '&' may be used at the start of the name in either order + so the value <parameter moreinfo="none">+&group</parameter> means check the + UNIX group database, followed by the NIS netgroup database, and + the value <parameter moreinfo="none">&+group</parameter> means check the NIS + netgroup database, followed by the UNIX group database (the + same as the '@' prefix).</para> + + <para>The current servicename is substituted for <parameter moreinfo="none">%S</parameter>. + This is useful in the [homes] section.</para> +</description> + +<related>valid users</related> + +<value type="default"><comment>no invalid users</comment></value> +<value type="example">root fred admin @wheel</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml new file mode 100644 index 0000000..9846111 --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml @@ -0,0 +1,42 @@ +<samba:parameter name="kdc default domain supported enctypes" + type="integer" + context="G" + handler="handle_kdc_default_domain_supported_enctypes" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + Set the default value of <constant>msDS-SupportedEncryptionTypes</constant> for service accounts in Active Directory that are missing this value or where <constant>msDS-SupportedEncryptionTypes</constant> is set to 0. + </para> + + <para> + This allows Samba administrators to match the configuration flexibility provided by the + <constant>HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes</constant> Registry Value on Windows. + </para> + <para> + Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed in hexadecimal or as a list of Kerberos encryption type names. + </para> + <para> + Specified values are ORed together bitwise, and those currently supported consist of: + </para><itemizedlist> + <listitem> + <para><constant>arcfour-hmac-md5</constant>, <constant>rc4-hmac</constant>, <constant>0x4</constant>, or <constant>4</constant></para> + <para>Known on Windows as Kerberos RC4 encryption</para> + </listitem> + <listitem> + <para><constant>aes128-cts-hmac-sha1-96</constant>, <constant>aes128-cts</constant>, <constant>0x8</constant>, or <constant>8</constant></para> + <para>Known on Windows as Kerberos AES 128 bit encryption</para> + </listitem> + <listitem> + <para><constant>aes256-cts-hmac-sha1-96</constant>, <constant>aes256-cts</constant>, <constant>0x10</constant>, or <constant>16</constant></para> + <para>Known on Windows as Kerberos AES 256 bit encryption</para> + </listitem> + <listitem> + <para><constant>aes256-cts-hmac-sha1-96-sk</constant>, <constant>aes256-cts-sk</constant>, <constant>0x20</constant>, or <constant>32</constant></para> + <para>Allow AES session keys. When this is set, it indicates to the KDC that AES session keys can be used, even when <constant>aes256-cts</constant> and <constant>aes128-cts</constant> are not set. This allows use of AES keys against hosts otherwise only configured with RC4 for ticket keys (which is the default).</para> + </listitem> +</itemizedlist> + +</description> + +<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes256-cts-hmac-sha1-96-sk</comment></value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/kdcenablefast.xml b/docs-xml/smbdotconf/security/kdcenablefast.xml new file mode 100644 index 0000000..e47ca3b --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcenablefast.xml @@ -0,0 +1,15 @@ +<samba:parameter name="kdc enable fast" + type="boolean" + context="G" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>With the Samba 4.16 the embedded Heimdal KDC brings + support for RFC6113 FAST, which wasn't available in + older Samba versions.</para> + + <para>This option is mostly for testing and currently only applies + if the embedded Heimdal KDC is used.</para> +</description> + +<value type="default">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml new file mode 100644 index 0000000..1cb46d7 --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml @@ -0,0 +1,24 @@ +<samba:parameter name="kdc force enable rc4 weak session keys" + type="boolean" + context="G" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + <constant>RFC8429</constant> declares that + <constant>rc4-hmac</constant> Kerberos ciphers are weak and + there are known attacks on Active Directory use of this + cipher suite. + </para> + <para> + However for compatibility with Microsoft Windows this option + allows the KDC to assume that regardless of the value set in + a service account's + <constant>msDS-SupportedEncryptionTypes</constant> attribute + that a <constant>rc4-hmac</constant> Kerberos session key (as distinct from the ticket key, as + found in a service keytab) can be used if the potentially + older client requests it. + </para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml new file mode 100644 index 0000000..5e028bb --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml @@ -0,0 +1,40 @@ +<samba:parameter name="kdc supported enctypes" + type="integer" + context="G" + handler="handle_kdc_supported_enctypes" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + On an active directory domain controller, this is the list of supported encryption types for local running kdc. + </para> + + <para> + This allows Samba administrators to remove support for weak/unused encryption types, similar + the configuration flexibility provided by the <constant>Network security: Configure encryption types allowed for Kerberos</constant> + GPO/Local Policies/Security Options Value, which results in the + <constant>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes</constant> Registry Value on Windows. + </para> + <para> + Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed as hexadecimal or a list of Kerberos encryption type names. + </para> + <para> + Specified values are ORed together bitwise, and those currently supported consist of: + </para><itemizedlist> + <listitem> + <para><constant>arcfour-hmac-md5</constant>, <constant>rc4-hmac</constant>, <constant>0x4</constant>, or <constant>4</constant></para> + <para>Known on Windows as Kerberos RC4 encryption</para> + </listitem> + <listitem> + <para><constant>aes128-cts-hmac-sha1-96</constant>, <constant>aes128-cts</constant>, <constant>0x8</constant>, or <constant>8</constant></para> + <para>Known on Windows as Kerberos AES 128 bit encryption</para> + </listitem> + <listitem> + <para><constant>aes256-cts-hmac-sha1-96</constant>, <constant>aes256-cts</constant>, <constant>0x10</constant>, or <constant>16</constant></para> + <para>Known on Windows as Kerberos AES 256 bit encryption</para> + </listitem> +</itemizedlist> + +</description> + +<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96</comment></value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml new file mode 100644 index 0000000..a245af5 --- /dev/null +++ b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml @@ -0,0 +1,47 @@ +<samba:parameter name="kerberos encryption types" + context="G" + type="enum" + enumlist="enum_kerberos_encryption_types_vals" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter determines the encryption types to use when operating + as a Kerberos client. Possible values are <emphasis>all</emphasis>, + <emphasis>strong</emphasis>, and <emphasis>legacy</emphasis>. + </para> + + <para>Samba uses a Kerberos library (MIT or Heimdal) to obtain Kerberos + tickets. This library is normally configured outside of Samba, using + the krb5.conf file. This file may also include directives to configure + the encryption types to be used. However, Samba implements Active Directory + protocols and algorithms to locate a domain controller. In order to + force the Kerberos library into using the correct domain controller, + some Samba processes, such as + <citerefentry><refentrytitle>winbindd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> and + <citerefentry><refentrytitle>net</refentrytitle> + <manvolnum>8</manvolnum></citerefentry>, build a private krb5.conf + file for use by the Kerberos library while being invoked from Samba. + This private file controls all aspects of the Kerberos library operation, + and this parameter controls how the encryption types are configured + within this generated file, and therefore also controls the encryption + types negotiable by Samba. + </para> + + <para>When set to <constant>all</constant>, all active directory + encryption types are allowed. + </para> + + <para>When set to <constant>strong</constant>, only AES-based encryption + types are offered. This can be used in hardened environments to prevent + downgrade attacks. + </para> + + <para>When set to <constant>legacy</constant>, only RC4-HMAC-MD5 + is allowed. AVOID using this option, because of + <ulink url="https://www.samba.org/samba/security/CVE-2022-37966.html">CVE-2022-37966</ulink> see + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15237">https://bugzilla.samba.org/show_bug.cgi?id=15237</ulink>. + </para> +</description> + +<value type="default">all</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/kerberosmethod.xml b/docs-xml/smbdotconf/security/kerberosmethod.xml new file mode 100644 index 0000000..b7cd988 --- /dev/null +++ b/docs-xml/smbdotconf/security/kerberosmethod.xml @@ -0,0 +1,41 @@ +<samba:parameter name="kerberos method" + context="G" + type="enum" + enumlist="enum_kerberos_method" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + Controls how kerberos tickets are verified. + </para> + + <para>Valid options are:</para> + <itemizedlist> + <listitem><para>secrets only - use only the secrets.tdb for + ticket verification (default)</para></listitem> + + <listitem><para>system keytab - use only the system keytab + for ticket verification</para></listitem> + + <listitem><para>dedicated keytab - use a dedicated keytab + for ticket verification</para></listitem> + + <listitem><para>secrets and keytab - use the secrets.tdb + first, then the system keytab</para></listitem> + </itemizedlist> + + <para> + The major difference between "system keytab" and "dedicated + keytab" is that the latter method relies on kerberos to find the + correct keytab entry instead of filtering based on expected + principals. + </para> + + <para> + When the kerberos method is in "dedicated keytab" mode, + <smbconfoption name="dedicated keytab file"/> must be set to + specify the location of the keytab file. + </para> +</description> +<related>dedicated keytab file</related> +<value type="default">default</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/kpasswdport.xml b/docs-xml/smbdotconf/security/kpasswdport.xml new file mode 100644 index 0000000..71cd337 --- /dev/null +++ b/docs-xml/smbdotconf/security/kpasswdport.xml @@ -0,0 +1,11 @@ +<samba:parameter name="kpasswd port" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>Specifies which ports the Kerberos server should listen on for + password changes.</para> +</description> + +<value type="default">464</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/krb5port.xml b/docs-xml/smbdotconf/security/krb5port.xml new file mode 100644 index 0000000..06c7988 --- /dev/null +++ b/docs-xml/smbdotconf/security/krb5port.xml @@ -0,0 +1,10 @@ +<samba:parameter name="krb5 port" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>Specifies which port the KDC should listen on for Kerberos traffic.</para> +</description> + +<value type="default">88</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml new file mode 100644 index 0000000..045e89d --- /dev/null +++ b/docs-xml/smbdotconf/security/lanmanauth.xml @@ -0,0 +1,55 @@ +<samba:parameter name="lanman auth" + context="G" + type="boolean" + function="_lanman_auth" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter has been deprecated since Samba 4.11 and + support for LanMan (as distinct from NTLM, NTLMv2 or + Kerberos authentication) + will be removed in a future Samba release.</para> + <para>That is, in the future, the current default of + <command>lanman auth = no</command> + will be the enforced behaviour.</para> + + <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> will attempt to + authenticate users or permit password changes + using the LANMAN password hash. If disabled, only clients which support NT + password hashes (e.g. Windows NT/2000 clients, smbclient, but not + Windows 95/98 or the MS DOS network client) will be able to + connect to the Samba host.</para> + + <para>The LANMAN encrypted response is easily broken, due to its + case-insensitive nature, and the choice of algorithm. Servers + without Windows 95/98/ME or MS DOS clients are advised to disable + this option. </para> + + <para>When this parameter is set to <value>no</value> this + will also result in sambaLMPassword in Samba's passdb being + blanked after the next password change. As a result of that + lanman clients won't be able to authenticate, even if lanman + auth is re-enabled later on. + </para> + + <para>Unlike the <parameter moreinfo="none">encrypt + passwords</parameter> option, this parameter cannot alter client + behaviour, and the LANMAN response will still be sent over the + network. See the <command moreinfo="none">client lanman + auth</command> to disable this for Samba's clients (such as smbclient)</para> + + <para>This parameter is overridden by <parameter moreinfo="none">ntlm + auth</parameter>, so unless that it is also set to + <constant>ntlmv1-permitted</constant> or <constant>yes</constant>, + then only NTLMv2 logins will be permitted and no LM hash will be + stored. All modern clients support NTLMv2, and but some older + clients require special configuration to use it.</para> + + <para><emphasis>This parameter has no impact on the Samba AD DC, + LM authentication is always disabled and no LM password is ever + stored.</emphasis></para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/lognttokencommand.xml b/docs-xml/smbdotconf/security/lognttokencommand.xml new file mode 100644 index 0000000..0ea269e --- /dev/null +++ b/docs-xml/smbdotconf/security/lognttokencommand.xml @@ -0,0 +1,14 @@ +<samba:parameter name="log nt token command" + context="G" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This option can be set to a command that will be called when new nt + tokens are created.</para> + + <para>This is only useful for development purposes.</para> +</description> + +<value type="default"></value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/maptoguest.xml b/docs-xml/smbdotconf/security/maptoguest.xml new file mode 100644 index 0000000..c98086a --- /dev/null +++ b/docs-xml/smbdotconf/security/maptoguest.xml @@ -0,0 +1,62 @@ +<samba:parameter name="map to guest" + type="enum" + context="G" + enumlist="enum_map_to_guest" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter can take four different values, which tell + <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> what to do with user + login requests that don't match a valid UNIX user in some way.</para> + + <para>The four settings are :</para> + + <itemizedlist> + <listitem> + <para><constant>Never</constant> - Means user login + requests with an invalid password are rejected. This is the + default.</para> + </listitem> + + <listitem> + <para><constant>Bad User</constant> - Means user + logins with an invalid password are rejected, unless the username + does not exist, in which case it is treated as a guest login and + mapped into the <smbconfoption name="guest account"/>.</para> + </listitem> + + <listitem> + <para><constant>Bad Password</constant> - Means user logins + with an invalid password are treated as a guest login and mapped + into the <smbconfoption name="guest account"/>. Note that + this can cause problems as it means that any user incorrectly typing + their password will be silently logged on as "guest" - and + will not know the reason they cannot access files they think + they should - there will have been no message given to them + that they got their password wrong. Helpdesk services will + <emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to + guest</parameter> parameter this way :-).</para> + </listitem> + <listitem> + <para><constant>Bad Uid</constant> - Is only applicable when Samba is configured + in some type of domain mode security (security = {domain|ads}) and means that + user logins which are successfully authenticated but which have no valid Unix + user account (and smbd is unable to create one) should be mapped to the defined + guest account. This was the default behavior of Samba 2.x releases. Note that + if a member server is running winbindd, this option should never be required + because the nss_winbind library will export the Windows domain users and groups + to the underlying OS via the Name Service Switch interface.</para> + </listitem> + </itemizedlist> + + <para>Note that this parameter is needed to set up "Guest" + share services. This is because in these modes the name of the resource being + requested is <emphasis>not</emphasis> sent to the server until after + the server has successfully authenticated the client so the server + cannot make authentication decisions at the correct time (connection + to the share) for "Guest" shares. </para> +</description> + +<value type="default">Never</value> +<value type="example">Bad User</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml b/docs-xml/smbdotconf/security/mindomainuid.xml new file mode 100644 index 0000000..46ae795 --- /dev/null +++ b/docs-xml/smbdotconf/security/mindomainuid.xml @@ -0,0 +1,17 @@ +<samba:parameter name="min domain uid" + type="integer" + context="G" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + The integer parameter specifies the minimum uid allowed when mapping a + local account to a domain account. + </para> + + <para> + Note that this option interacts with the configured <emphasis>idmap ranges</emphasis>! + </para> +</description> + +<value type="default">1000</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/mitkdccommand.xml b/docs-xml/smbdotconf/security/mitkdccommand.xml new file mode 100644 index 0000000..602f27d --- /dev/null +++ b/docs-xml/smbdotconf/security/mitkdccommand.xml @@ -0,0 +1,15 @@ +<samba:parameter name="mit kdc command" + context="G" + type="list" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This option specifies the path to the MIT kdc binary.</para> + + <para>If the KDC is not installed in the default location and wasn't + correctly detected during build then you should modify this variable and + point it to the correct binary.</para> +</description> + +<value type="default">&pathconfig.MITKDCPATH;</value> +<value type="example">/opt/mit/sbin/krb5kdc</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/nt_hash_store.xml b/docs-xml/smbdotconf/security/nt_hash_store.xml new file mode 100644 index 0000000..d7ed705 --- /dev/null +++ b/docs-xml/smbdotconf/security/nt_hash_store.xml @@ -0,0 +1,70 @@ +<samba:parameter name="nt hash store" + context="G" + type="enum" + enumlist="enum_nt_hash_store" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter determines whether or not <citerefentry><refentrytitle>samba</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> will, as an AD DC, attempt to + store the NT password hash used in NTLM and NTLMv2 authentication for + users in this domain. </para> + + <para>If so configured, the Samba Active Directory Domain Controller, + will, except for trust accounts (computers, domain + controllers and inter-domain trusts) the + <emphasis>NOT store the NT hash</emphasis> + for new and changed accounts in the sam.ldb database.</para> + + <para>This avoids the storage of an unsalted hash for these + user-created passwords. As a consequence the + <constant>arcfour-hmac-md5</constant> Kerberos key type is + also unavailable in the KDC for these users - thankfully + <emphasis>modern clients will select an AES based key + instead.</emphasis></para> + + <para>NOTE: As the password history in Active Directory is + stored as an NT hash (and thus unavailable), a workaround is + used, relying instead on Kerberos password hash values. + This stores three passwords, the current, previous and second previous + password. This allows some checking against reuse. </para> + + <para>However as these values are salted, changing the + sAMAccountName, userAccountControl or userPrincipalName of + an account will cause the salt to change. After the rare + combination of both a rename and a password change only the + current password will be recognised for password history + purposes. + </para> + <para>The available settings are:</para> + + <itemizedlist> + <listitem> + <para><constant>always</constant> - Always store the NT hash + (as machine accounts will also always store an NT hash, + a hash will be stored for all accounts).</para> + + <para>This setting may be useful if <parameter + moreinfo="none">ntlm auth</parameter> is set to <constant>disabled</constant> + for a trial period</para> + + </listitem> + + <listitem> + <para><constant>never</constant> - Never store the NT hash + for user accounts, only for machine accounts</para> + </listitem> + + <listitem> + <para><constant>auto</constant> - Store an NT hash if <parameter + moreinfo="none">ntlm auth</parameter> is not set to <constant>disabled</constant>. + </para> + + </listitem> + + </itemizedlist> + +</description> + +<related>ntlm auth</related> +<value type="default">always</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml new file mode 100644 index 0000000..d7c84cc --- /dev/null +++ b/docs-xml/smbdotconf/security/ntlmauth.xml @@ -0,0 +1,87 @@ +<samba:parameter name="ntlm auth" + context="G" + type="enum" + enumlist="enum_ntlm_auth" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> will attempt to + authenticate users using the NTLM encrypted password response for + this local passdb (SAM or account database). </para> + + <para>If disabled, both NTLM and LanMan authentication against the + local passdb is disabled.</para> + + <para>Note that these settings apply only to local users, + authentication will still be forwarded to and NTLM authentication + accepted against any domain we are joined to, and any trusted + domain, even if disabled or if NTLMv2-only is enforced here. To + control NTLM authentiation for domain users, this must option must + be configured on each DC.</para> + + <para>By default with <command moreinfo="none">ntlm auth</command> set to + <constant>ntlmv2-only</constant> only NTLMv2 logins will be + permitted. All modern clients support NTLMv2 by default, but some older + clients will require special configuration to use it.</para> + + <para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para> + + <para>The available settings are:</para> + + <itemizedlist> + <listitem> + <para><constant>ntlmv1-permitted</constant> + (alias <constant>yes</constant>) - Allow NTLMv1 and above for all clients.</para> + + <para>This is the required setting for to enable the <parameter + moreinfo="none">lanman auth</parameter> parameter.</para> + + </listitem> + + <listitem> + <para><constant>ntlmv2-only</constant> + (alias <constant>no</constant>) - Do not allow NTLMv1 to be used, + but permit NTLMv2.</para> + </listitem> + + <listitem> + <para><constant>mschapv2-and-ntlmv2-only</constant> - Only + allow NTLMv1 when the client promises that it is providing + MSCHAPv2 authentication (such as the <command + moreinfo="none">ntlm_auth</command> tool).</para> + </listitem> + + <listitem> + <para><constant>disabled</constant> - Do not accept NTLM (or + LanMan) authentication of any level, nor permit + NTLM password changes.</para> + + <para><emphasis>WARNING:</emphasis> Both Microsoft Windows + and Samba <emphasis>Read Only Domain Controllers</emphasis> + (RODCs) convert a plain-text LDAP Simple Bind into an NTLMv2 + authentication to forward to a full DC. Setting this option + to <constant>disabled</constant> will cause these forwarded + authentications to fail.</para> + + <para>Additionally, for Samba acting as an Active Directory + Domain Controller, for user accounts, if <parameter moreinfo="none">nt hash store</parameter> + is set to the default setting of <constant>auto</constant>, + the <emphasis>NT hash will not be stored</emphasis> + in the sam.ldb database for new users and after a + password change.</para> + + </listitem> + + </itemizedlist> + + <para>The default changed from <constant>yes</constant> to + <constant>no</constant> with Samba 4.5. The default changed again + to <constant>ntlmv2-only</constant> with Samba 4.7, however the + behaviour is unchanged.</para> +</description> + +<related>nt hash store</related> +<related>lanman auth</related> +<related>raw NTLMv2 auth</related> +<value type="default">ntlmv2-only</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/ntpsigndsocketdirectory.xml b/docs-xml/smbdotconf/security/ntpsigndsocketdirectory.xml new file mode 100644 index 0000000..18d70cf --- /dev/null +++ b/docs-xml/smbdotconf/security/ntpsigndsocketdirectory.xml @@ -0,0 +1,16 @@ +<samba:parameter name="ntp signd socket directory" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This setting controls the location of the socket that + the NTP daemon uses to communicate with Samba for + signing packets.</para> + + <para>If a non-default path is specified here, then it is also necessary + to make NTP aware of the new path using the <constant>ntpsigndsocket</constant> + directive in <filename>ntp.conf</filename>.</para> +</description> + +<value type="default">&pathconfig.NTP_SIGND_SOCKET_DIR;</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/nullpasswords.xml b/docs-xml/smbdotconf/security/nullpasswords.xml new file mode 100644 index 0000000..49533f6 --- /dev/null +++ b/docs-xml/smbdotconf/security/nullpasswords.xml @@ -0,0 +1,14 @@ +<samba:parameter name="null passwords" + context="G" + type="boolean" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>Allow or disallow client access to accounts that have null passwords. </para> + + <para>See also <citerefentry><refentrytitle>smbpasswd</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>.</para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/obeypamrestrictions.xml b/docs-xml/smbdotconf/security/obeypamrestrictions.xml new file mode 100644 index 0000000..92708ef --- /dev/null +++ b/docs-xml/smbdotconf/security/obeypamrestrictions.xml @@ -0,0 +1,19 @@ +<samba:parameter name="obey pam restrictions" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>When Samba 3.0 is configured to enable PAM support + (i.e. --with-pam), this parameter will control whether or not Samba + should obey PAM's account and session management directives. The + default behavior is to use PAM for clear text authentication only + and to ignore any account or session management. Note that Samba + always ignores PAM for authentication in the case of <smbconfoption + name="encrypt passwords">yes</smbconfoption>. The reason + is that PAM modules cannot support the challenge/response + authentication mechanism needed in the presence of SMB password encryption. +</para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml b/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml new file mode 100644 index 0000000..78d6ff1 --- /dev/null +++ b/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml @@ -0,0 +1,12 @@ +<samba:parameter name="old password allowed period" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>Number of minutes to permit an NTLM login after a password change or reset using the old password. This allows the user to re-cache the new password on multiple clients without disrupting a network reconnection in the meantime. </para> + + <para>This parameter only applies when <smbconfoption name="server role"/> is set to Active Directory Domain Controller.</para> +</description> + +<value type="default">60</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/pampasswordchange.xml b/docs-xml/smbdotconf/security/pampasswordchange.xml new file mode 100644 index 0000000..92ab4ad --- /dev/null +++ b/docs-xml/smbdotconf/security/pampasswordchange.xml @@ -0,0 +1,16 @@ +<samba:parameter name="pam password change" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>With the addition of better PAM support in Samba 2.2, + this parameter, it is possible to use PAM's password change control + flag for Samba. If enabled, then PAM will be used for password + changes when requested by an SMB client instead of the program listed in + <smbconfoption name="passwd program"/>. + It should be possible to enable this without changing your + <smbconfoption name="passwd chat"/> parameter for most setups.</para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/passdbbackend.xml b/docs-xml/smbdotconf/security/passdbbackend.xml new file mode 100644 index 0000000..8265b3e --- /dev/null +++ b/docs-xml/smbdotconf/security/passdbbackend.xml @@ -0,0 +1,65 @@ +<samba:parameter name="passdb backend" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>This option allows the administrator to chose which backend + will be used for storing user and possibly group information. This allows + you to swap between different storage mechanisms without recompile. </para> + + <para>The parameter value is divided into two parts, the backend's name, and a 'location' + string that has meaning only to that particular backed. These are separated + by a : character.</para> + + <para>Available backends can include: + <itemizedlist> + <listitem> + <para><command moreinfo="none">smbpasswd</command> - The old plaintext passdb + backend. Some Samba features will not work if this passdb + backend is used. Takes a path to the smbpasswd file as an + optional argument. + </para> + </listitem> + + <listitem> + <para><command moreinfo="none">tdbsam</command> - The TDB based password storage + backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb + in the <smbconfoption name="private dir"/> directory.</para> + </listitem> + + <listitem> + <para><command moreinfo="none">ldapsam</command> - The LDAP based passdb + backend. Takes an LDAP URL as an optional argument (defaults to + <command moreinfo="none">ldap://localhost</command>)</para> + + <para>LDAP connections should be secured where possible. This may be done using either + Start-TLS (see <smbconfoption name="ldap ssl"/>) or by + specifying <parameter moreinfo="none">ldaps://</parameter> in + the URL argument. </para> + + <para>Multiple servers may also be specified in double-quotes. + Whether multiple servers are supported or not and the exact + syntax depends on the LDAP library you use. + </para> + + </listitem> + </itemizedlist> + + </para> + Examples of use are: +<programlisting> +passdb backend = tdbsam:/etc/samba/private/passdb.tdb + +or multi server LDAP URL with OpenLDAP library: + +passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com" + +or multi server LDAP URL with Netscape based LDAP library: + +passdb backend = ldapsam:"ldap://ldap-1.example.com ldap-2.example.com" +</programlisting> +</description> + +<value type="default">tdbsam</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/passdbexpandexplicit.xml b/docs-xml/smbdotconf/security/passdbexpandexplicit.xml new file mode 100644 index 0000000..41c8ea0 --- /dev/null +++ b/docs-xml/smbdotconf/security/passdbexpandexplicit.xml @@ -0,0 +1,14 @@ +<samba:parameter name="passdb expand explicit" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter controls whether Samba substitutes %-macros in the passdb fields if they are explicitly set. We + used to expand macros here, but this turned out to be a bug because the Windows client can expand a variable + %G_osver% in which %G would have been substituted by the user's primary group. + </para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/passwdchat.xml b/docs-xml/smbdotconf/security/passwdchat.xml new file mode 100644 index 0000000..a04fc62 --- /dev/null +++ b/docs-xml/smbdotconf/security/passwdchat.xml @@ -0,0 +1,57 @@ +<samba:parameter name="passwd chat" + context="G" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This string controls the <emphasis>"chat"</emphasis> + conversation that takes places between <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> and the local password changing + program to change the user's password. The string describes a + sequence of response-receive pairs that <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> uses to determine what to send to the + <smbconfoption name="passwd program"/> and what to expect back. If the expected output is not + received then the password is not changed.</para> + + <para>This chat sequence is often quite site specific, depending + on what local methods are used for password control.</para> + + <para>Note that this parameter only is used if the <smbconfoption + name="unix password sync"/> parameter is set to <constant>yes</constant>. This sequence is + then called <emphasis>AS ROOT</emphasis> when the SMB password in the + smbpasswd file is being changed, without access to the old password + cleartext. This means that root must be able to reset the user's password without + knowing the text of the previous password. + </para> + + <para>The string can contain the macro <parameter + moreinfo="none">%n</parameter> which is substituted + for the new password. The old password (<parameter + moreinfo="none">%o</parameter>) is only available when + <smbconfoption name="encrypt passwords"/> has been disabled. + The chat sequence can also contain the standard macros + \n, \r, \t and \s to give line-feed, carriage-return, tab + and space. The chat sequence string can also contain + a '*' which matches any sequence of characters. Double quotes can + be used to collect strings with spaces in them into a single + string.</para> + + <para>If the send string in any part of the chat sequence is a full + stop ".", then no string is sent. Similarly, if the + expect string is a full stop then no string is expected.</para> + + <para>If the <smbconfoption name="pam password change"/> parameter is set to <constant>yes</constant>, the + chat pairs may be matched in any order, and success is determined by the PAM result, not any particular + output. The \n macro is ignored for PAM conversions. + </para> + +</description> + +<related>unix password sync</related> +<related>passwd program</related> +<related>passwd chat debug</related> +<related>pam password change</related> + +<value type="default">*new*password* %n\n *new*password* %n\n *changed*</value> +<value type="example">"*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*"</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/passwdchatdebug.xml b/docs-xml/smbdotconf/security/passwdchatdebug.xml new file mode 100644 index 0000000..0c3481e --- /dev/null +++ b/docs-xml/smbdotconf/security/passwdchatdebug.xml @@ -0,0 +1,26 @@ +<samba:parameter name="passwd chat debug" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This boolean specifies if the passwd chat script + parameter is run in <emphasis>debug</emphasis> mode. In this mode the + strings passed to and received from the passwd chat are printed + in the <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> log with a + <smbconfoption name="debug level"/> + of 100. This is a dangerous option as it will allow plaintext passwords + to be seen in the <command moreinfo="none">smbd</command> log. It is available to help + Samba admins debug their <parameter moreinfo="none">passwd chat</parameter> scripts + when calling the <parameter moreinfo="none">passwd program</parameter> and should + be turned off after this has been done. This option has no effect if the + <smbconfoption name="pam password change"/> + parameter is set. This parameter is off by default.</para> +</description> + +<related>passwd chat</related> +<related>pam password change</related> +<related>passwd program</related> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/passwdchattimeout.xml b/docs-xml/smbdotconf/security/passwdchattimeout.xml new file mode 100644 index 0000000..74e8688 --- /dev/null +++ b/docs-xml/smbdotconf/security/passwdchattimeout.xml @@ -0,0 +1,13 @@ +<samba:parameter name="passwd chat timeout" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This integer specifies the number of seconds smbd will wait for an initial + answer from a passwd chat script being run. Once the initial answer is received + the subsequent answers must be received in one tenth of this time. The default it + two seconds.</para> +</description> + +<value type="default">2</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/passwdprogram.xml b/docs-xml/smbdotconf/security/passwdprogram.xml new file mode 100644 index 0000000..e12cc8e --- /dev/null +++ b/docs-xml/smbdotconf/security/passwdprogram.xml @@ -0,0 +1,37 @@ +<samba:parameter name="passwd program" + context="G" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + <description> + <para>The name of a program that can be used to set + UNIX user passwords. Any occurrences of <parameter moreinfo="none">%u</parameter> + will be replaced with the user name. The user name is checked for + existence before calling the password changing program.</para> + + <para>Also note that many passwd programs insist in <emphasis>reasonable + </emphasis> passwords, such as a minimum length, or the inclusion + of mixed case chars and digits. This can pose a problem as some clients + (such as Windows for Workgroups) uppercase the password before sending + it.</para> + + <para><emphasis>Note</emphasis> that if the <parameter moreinfo="none">unix + password sync</parameter> parameter is set to <constant>yes + </constant> then this program is called <emphasis>AS ROOT</emphasis> + before the SMB password in the smbpasswd + file is changed. If this UNIX password change fails, then + <command moreinfo="none">smbd</command> will fail to change the SMB password also + (this is by design).</para> + + <para>If the <parameter moreinfo="none">unix password sync</parameter> parameter + is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis> + for <emphasis>ALL</emphasis> programs called, and must be examined + for security implications. Note that by default <parameter moreinfo="none">unix + password sync</parameter> is set to <constant>no</constant>.</para> + </description> + + <related>unix password symc</related> + + <value type="default"></value> +<value type="example">/bin/passwd %u</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml b/docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml new file mode 100644 index 0000000..e53cdbe --- /dev/null +++ b/docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml @@ -0,0 +1,45 @@ +<samba:parameter name="password hash gpg key ids" + context="G" + type="cmdlist" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>If <command moreinfo="none">samba</command> is running as an + active directory domain controller, it is possible to store the + cleartext password of accounts in a PGP/OpenGPG encrypted form.</para> + + <para>You can specify one or more recipients by key id or user id. + Note that 32bit key ids are not allowed, specify at least 64bit.</para> + + <para>The value is stored as 'Primary:SambaGPG' in the + <command moreinfo="none">supplementalCredentials</command> attribute.</para> + + <para>As password changes can occur on any domain controller, + you should configure this on each of them. Note that this feature is currently + available only on Samba domain controllers.</para> + + <para>This option is only available if <command moreinfo="none">samba</command> + was compiled with <command moreinfo="none">gpgme</command> support.</para> + + <para>You may need to export the <command moreinfo="none">GNUPGHOME</command> + environment variable before starting <command moreinfo="none">samba</command>. + <emphasis>It is strongly recommended to only store the public key in this + location. The private key is not used for encryption and should be + only stored where decryption is required.</emphasis></para> + + <para>Being able to restore the cleartext password helps, when they need to be imported + into other authentication systems later (see <command moreinfo="none">samba-tool user getpassword</command>) + or you want to keep the passwords in sync with another system, e.g. an OpenLDAP server + (see <command moreinfo="none">samba-tool user syncpasswords</command>).</para> + + <para>While this option needs to be configured on all domain controllers, the + <command moreinfo="none">samba-tool user syncpasswords</command> command should + run on a single domain controller only (typically the PDC-emulator).</para> +</description> + +<related>unix password sync</related> + +<value type="default"></value> +<value type="example">4952E40301FAB41A</value> +<value type="example">selftest@samba.example.com</value> +<value type="example">selftest@samba.example.com, 4952E40301FAB41A</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/passwordhashuserpasswordschemes.xml b/docs-xml/smbdotconf/security/passwordhashuserpasswordschemes.xml new file mode 100644 index 0000000..18a43f9 --- /dev/null +++ b/docs-xml/smbdotconf/security/passwordhashuserpasswordschemes.xml @@ -0,0 +1,67 @@ +<samba:parameter name="password hash userPassword schemes" + context="G" + type="cmdlist" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + +<para>This parameter determines whether or not +<citerefentry><refentrytitle>samba</refentrytitle> +<manvolnum>8</manvolnum></citerefentry> acting as an Active +Directory Domain Controller will attempt to store additional +passwords hash types for the user</para> + +<para>The values are stored as 'Primary:userPassword' in the +<command moreinfo="none">supplementalCredentials</command> +attribute. The value of this option is a hash type.</para> + +<para>The currently supported hash types are:</para> +<itemizedlist> + <listitem> + <para><constant>CryptSHA256</constant></para> + </listitem> + <listitem> + <para><constant>CryptSHA512</constant></para> + </listitem> +</itemizedlist> + +<para>Multiple instances of a hash type may be computed and stored. +The password hashes are calculated using the +<citerefentry><refentrytitle>crypt</refentrytitle> +<manvolnum>3</manvolnum></citerefentry> call. +The number of rounds used to compute the hash can be specified by adding +':rounds=xxxx' to the hash type, i.e. CryptSHA512:rounds=4500 would calculate +an SHA512 hash using 4500 rounds. If not specified the Operating System +defaults for +<citerefentry><refentrytitle>crypt</refentrytitle> +<manvolnum>3</manvolnum></citerefentry> are used. +</para> + +<para>As password changes can occur on any domain controller, +you should configure this on each of them. Note that this feature is +currently available only on Samba domain controllers.</para> + +<para>Currently the NT Hash of the password is recorded when these hashes +are calculated and stored. When retrieving the hashes the current value of the +NT Hash is checked against the stored NT Hash. This detects password changes +that have not updated the password hashes. In this case +<command moreinfo="none">samba-tool user</command> will ignore the stored +hash values. +</para> + +<para>Being able to obtain the hashed password helps, when +they need to be imported into other authentication systems +later (see <command moreinfo="none">samba-tool user +getpassword</command>) or you want to keep the passwords in +sync with another system, e.g. an OpenLDAP server (see +<command moreinfo="none">samba-tool user +syncpasswords</command>).</para> + +<related>unix password sync</related> + +</description> + +<value type="default"></value> +<value type="example">CryptSHA256</value> +<value type="example">CryptSHA256 CryptSHA512</value> +<value type="example">CryptSHA256:rounds=5000 CryptSHA512:rounds=7000</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/passwordserver.xml b/docs-xml/smbdotconf/security/passwordserver.xml new file mode 100644 index 0000000..8bc2ecb --- /dev/null +++ b/docs-xml/smbdotconf/security/passwordserver.xml @@ -0,0 +1,46 @@ +<samba:parameter name="password server" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>By specifying the name of a domain controller with this option, + and using <command moreinfo="none">security = [ads|domain]</command> + it is possible to get Samba + to do all its username/password validation using a specific remote server.</para> + + <para>Ideally, this option + <emphasis>should not</emphasis> be used, as the default '*' indicates to Samba + to determine the best DC to contact dynamically, just as all other hosts in an + AD domain do. This allows the domain to be maintained (addition + and removal of domain controllers) without modification to + the smb.conf file. The cryptographic protection on the authenticated RPC calls + used to verify passwords ensures that this default is safe.</para> + + <para><emphasis>It is strongly recommended that you use the + default of '*'</emphasis>, however if in your particular + environment you have reason to specify a particular DC list, then + the list of machines in this option must be a list of names or IP + addresses of Domain controllers for the Domain. If you use the + default of '*', or list several hosts in the <parameter + moreinfo="none">password server</parameter> option then <command + moreinfo="none">smbd </command> will try each in turn till it + finds one that responds. This is useful in case your primary + server goes down.</para> + + <para>If the list of servers contains both names/IP's and the '*' + character, the list is treated as a list of preferred + domain controllers, but an auto lookup of all remaining DC's + will be added to the list as well. Samba will not attempt to optimize + this list by locating the closest DC.</para> + + <para>If parameter is a name, it is looked up using the + parameter <smbconfoption name="name resolve order"/> and so may resolved + by any method and order described in that parameter.</para> + +</description> + +<related>security</related> +<value type="default">*</value> +<value type="example">NT-PDC, NT-BDC1, NT-BDC2, *</value> +<value type="example">windc.mydomain.com:389 192.168.1.101 *</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/preloadmodules.xml b/docs-xml/smbdotconf/security/preloadmodules.xml new file mode 100644 index 0000000..7b77674 --- /dev/null +++ b/docs-xml/smbdotconf/security/preloadmodules.xml @@ -0,0 +1,13 @@ +<samba:parameter name="preload modules" + type="cmdlist" + context="G" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This is a list of paths to modules that should + be loaded into smbd before a client connects. This improves + the speed of smbd when reacting to new connections somewhat. </para> +</description> + +<value type="default"></value> +<value type="example">/usr/lib/samba/passdb/mysql.so</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/privatedir.xml b/docs-xml/smbdotconf/security/privatedir.xml new file mode 100644 index 0000000..9abcb7e --- /dev/null +++ b/docs-xml/smbdotconf/security/privatedir.xml @@ -0,0 +1,14 @@ +<samba:parameter name="private dir" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<synonym>private directory</synonym> +<description> + <para>This parameters defines the directory + smbd will use for storing such files as <filename moreinfo="none">smbpasswd</filename> + and <filename moreinfo="none">secrets.tdb</filename>. +</para> +</description> + +<value type="default">&pathconfig.PRIVATE_DIR;</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/rawntlmv2auth.xml b/docs-xml/smbdotconf/security/rawntlmv2auth.xml new file mode 100644 index 0000000..c4d7554 --- /dev/null +++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml @@ -0,0 +1,27 @@ +<samba:parameter name="raw NTLMv2 auth" + context="G" + type="boolean" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter has been deprecated since Samba 4.13 and + support for NTLMv2 authentication without NTLMSSP will be removed + in a future Samba release.</para> + <para>That is, in the future, the current default of + <command>raw NTLMv2 auth = no</command> + will be the enforced behaviour.</para> + + <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> will allow SMB1 clients without + extended security (without SPNEGO) to use NTLMv2 authentication.</para> + + <para>If this option, <command moreinfo="none">lanman auth</command> + and <command moreinfo="none">ntlm auth</command> are all disabled, + then only clients with SPNEGO support will be permitted. + That means NTLMv2 is only supported within NTLMSSP.</para> +</description> + +<related>lanman auth</related> +<related>ntlm auth</related> +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/readlist.xml b/docs-xml/smbdotconf/security/readlist.xml new file mode 100644 index 0000000..96f3746 --- /dev/null +++ b/docs-xml/smbdotconf/security/readlist.xml @@ -0,0 +1,18 @@ +<samba:parameter name="read list" + context="S" + type="cmdlist" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This is a list of users that are given read-only access to a service. If the connecting user is in this list + then they will not be given write access, no matter what the <smbconfoption name="read only"/> option is set + to. The list can include group names using the syntax described in the <smbconfoption name="invalid users"/> + parameter. + </para> +</description> +<related>write list</related> +<related>invalid users</related> + +<value type="default"></value> +<value type="example">mary, @students</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/readonly.xml b/docs-xml/smbdotconf/security/readonly.xml new file mode 100644 index 0000000..834633f --- /dev/null +++ b/docs-xml/smbdotconf/security/readonly.xml @@ -0,0 +1,18 @@ +<samba:parameter name="read only" + context="S" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>An inverted synonym is <smbconfoption name="writeable"/>.</para> + + <para>If this parameter is <constant>yes</constant>, then users + of a service may not create or modify files in the service's + directory.</para> + + <para>Note that a printable service (<command moreinfo="none">printable = yes</command>) + will <emphasis>ALWAYS</emphasis> allow writing to the directory + (user privileges permitting), but only via spooling operations.</para> +</description> + +<value type="default">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/renameuserscript.xml b/docs-xml/smbdotconf/security/renameuserscript.xml new file mode 100644 index 0000000..2bfbea4 --- /dev/null +++ b/docs-xml/smbdotconf/security/renameuserscript.xml @@ -0,0 +1,33 @@ +<samba:parameter name="rename user script" + context="G" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This is the full pathname to a script that will be run as root by <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> under special circumstances described below. + </para> + + <para> + When a user with admin authority or SeAddUserPrivilege rights renames a user (e.g.: from the NT4 User Manager + for Domains), this script will be run to rename the POSIX user. Two variables, <literal>%uold</literal> and + <literal>%unew</literal>, will be substituted with the old and new usernames, respectively. The script should + return 0 upon successful completion, and nonzero otherwise. + </para> + + <note><para> + The script has all responsibility to rename all the necessary data that is accessible in this posix method. + This can mean different requirements for different backends. The tdbsam and smbpasswd backends will take care + of the contents of their respective files, so the script is responsible only for changing the POSIX username, and + other data that may required for your circumstances, such as home directory. Please also consider whether or + not you need to rename the actual home directories themselves. The ldapsam backend will not make any changes, + because of the potential issues with renaming the LDAP naming attribute. In this case the script is + responsible for changing the attribute that samba uses (uid) for locating users, as well as any data that + needs to change for other applications using the same directory. + </para></note> + +</description> + +<value type="default"></value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/restrictanonymous.xml b/docs-xml/smbdotconf/security/restrictanonymous.xml new file mode 100644 index 0000000..06abe7b --- /dev/null +++ b/docs-xml/smbdotconf/security/restrictanonymous.xml @@ -0,0 +1,38 @@ +<samba:parameter name="restrict anonymous" + type="integer" + context="G" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + The setting of this parameter determines whether SAMR and LSA + DCERPC services can be accessed anonymously. This corresponds + to the following Windows Server registry options: + </para> + + <programlisting> + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous + </programlisting> + + <para> + The option also affects the browse option which is required by + legacy clients which rely on Netbios browsing. While modern + Windows version should be fine with restricting the access + there could still be applications relying on anonymous access. + </para> + + <para> + Setting <smbconfoption name="restrict anonymous">1</smbconfoption> + will disable anonymous SAMR access. + </para> + + <para> + Setting <smbconfoption name="restrict anonymous">2</smbconfoption> + will, in addition to restricting SAMR access, disallow anonymous + connections to the IPC$ share in general. + Setting <smbconfoption name="guest ok">yes</smbconfoption> on any share + will remove the security advantage. + </para> +</description> + +<value type="default">0</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/rootdirectory.xml b/docs-xml/smbdotconf/security/rootdirectory.xml new file mode 100644 index 0000000..008ec50 --- /dev/null +++ b/docs-xml/smbdotconf/security/rootdirectory.xml @@ -0,0 +1,35 @@ +<samba:parameter name="root directory" + context="G" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<synonym>root</synonym> +<synonym>root dir</synonym> +<description> + <para>The server will <command moreinfo="none">chroot()</command> (i.e. + Change its root directory) to this directory on startup. This is + not strictly necessary for secure operation. Even without it the + server will deny access to files not in one of the service entries. + It may also check for, and deny access to, soft links to other + parts of the filesystem, or attempts to use ".." in file names + to access other directories (depending on the setting of the + <smbconfoption name="wide smbconfoptions"/> parameter). + </para> + + <para>Adding a <parameter moreinfo="none">root directory</parameter> entry other + than "/" adds an extra level of security, but at a price. It + absolutely ensures that no access is given to files not in the + sub-tree specified in the <parameter moreinfo="none">root directory</parameter> + option, <emphasis>including</emphasis> some files needed for + complete operation of the server. To maintain full operability + of the server you will need to mirror some system files + into the <parameter moreinfo="none">root directory</parameter> tree. In particular + you will need to mirror <filename moreinfo="none">/etc/passwd</filename> (or a + subset of it), and any binaries or configuration files needed for + printing (if required). The set of files that must be mirrored is + operating system dependent.</para> +</description> + +<value type="default"></value> +<value type="example">/homes/smb</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/sambakcccommand.xml b/docs-xml/smbdotconf/security/sambakcccommand.xml new file mode 100644 index 0000000..af8a28a --- /dev/null +++ b/docs-xml/smbdotconf/security/sambakcccommand.xml @@ -0,0 +1,18 @@ +<samba:parameter name="samba kcc command" + context="G" + type="cmdlist" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This option specifies the path to the Samba KCC command. + This script is used for replication topology replication. + </para> + + <para>It should not be necessary to modify this option except + for testing purposes or if the <filename>samba_kcc</filename> + was installed in a non-default location. + </para> +</description> + +<value type="default">&pathconfig.SCRIPTSBINDIR;/samba_kcc</value> +<value type="example">/usr/local/bin/kcc</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml new file mode 100644 index 0000000..86f5f2a --- /dev/null +++ b/docs-xml/smbdotconf/security/security.xml @@ -0,0 +1,104 @@ +<samba:parameter name="security" + context="G" + type="enum" + function="_security" + enumlist="enum_security" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<when_value value="security"> + <requires option="encrypted passwords">/(yes|true)/</requires> +</when_value> +<description> + <para>This option affects how clients respond to + Samba and is one of the most important settings in the <filename moreinfo="none"> + smb.conf</filename> file.</para> + + <para>The default is <command moreinfo="none">security = user</command>, as this is + the most common setting, used for a standalone file server or a DC.</para> + + <para>The alternatives are + <command moreinfo="none">security = ads</command> or <command moreinfo="none">security = domain + </command>, which support joining Samba to a Windows domain</para> + + <para>You should use <command moreinfo="none">security = user</command> and + <smbconfoption name="map to guest"/> if you + want to mainly setup shares without a password (guest shares). This + is commonly used for a shared printer server. </para> + + <para>The different settings will now be explained.</para> + + + <para><anchor id="SECURITYEQUALSAUTO"/><emphasis>SECURITY = AUTO</emphasis></para> + + <para>This is the default security setting in Samba, and causes Samba to consult + the <smbconfoption name="server role"/> parameter (if set) to determine the security mode.</para> + + <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para> + + <para>If <smbconfoption name="server role"/> is not specified, this is the default security setting in Samba. + With user-level security a client must first "log-on" with a + valid username and password (which can be mapped using the <smbconfoption name="username map"/> + parameter). Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) can also + be used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption + name="guest only"/> if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated.</para> + + <para><emphasis>Note</emphasis> that the name of the resource being + requested is <emphasis>not</emphasis> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <smbconfoption name="guest account"/>. + See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para> + + <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para> + + <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> has been used to add this + machine into a Windows NT Domain. It expects the <smbconfoption name="encrypted passwords"/> + parameter to be set to <constant>yes</constant>. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do.</para> + + <para><emphasis>Note</emphasis> that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to.</para> + + <para><emphasis>Note</emphasis> that from the client's point + of view <command moreinfo="none">security = domain</command> is the same + as <command moreinfo="none">security = user</command>. It only + affects how the server deals with the authentication, + it does not in any way affect what the client sees.</para> + + <para><emphasis>Note</emphasis> that the name of the resource being + requested is <emphasis>not</emphasis> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <smbconfoption name="guest account"/>. + See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para> + + <para>See also the <smbconfoption name="password server"/> parameter and + the <smbconfoption name="encrypted passwords"/> parameter.</para> + + <para><anchor id="SECURITYEQUALSADS"/><emphasis>SECURITY = ADS</emphasis></para> + + <para>In this mode, Samba will act as a domain member in an ADS realm. To operate + in this mode, the machine running Samba will need to have Kerberos installed + and configured and Samba will need to be joined to the ADS realm using the + net utility. </para> + + <para>Note that this mode does NOT make Samba operate as a Active Directory Domain + Controller. </para> + + <para>Note that this forces <smbconfoption name="require strong key">yes</smbconfoption> + and <smbconfoption name="client schannel">yes</smbconfoption> for the primary domain.</para> + + <para>Read the chapter about Domain Membership in the HOWTO for details.</para> +</description> + +<related>realm</related> +<related>encrypt passwords</related> + +<value type="default">AUTO</value> +<value type="example">DOMAIN</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/securitymask.xml b/docs-xml/smbdotconf/security/securitymask.xml new file mode 100644 index 0000000..e535d32 --- /dev/null +++ b/docs-xml/smbdotconf/security/securitymask.xml @@ -0,0 +1,11 @@ +<samba:parameter name="security mask" + context="S" + type="string" + removed="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter has been removed for Samba 4.0.0. + </para> +</description> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/serverrole.xml b/docs-xml/smbdotconf/security/serverrole.xml new file mode 100644 index 0000000..b8b83a1 --- /dev/null +++ b/docs-xml/smbdotconf/security/serverrole.xml @@ -0,0 +1,96 @@ +<samba:parameter name="server role" + context="G" + type="enum" + function="_server_role" + enumlist="enum_server_role" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This option determines the basic operating mode of a Samba + server and is one of the most important settings in the <filename + moreinfo="none"> smb.conf</filename> file.</para> + + <para>The default is <command moreinfo="none">server role = auto</command>, as causes + Samba to operate according to the <smbconfoption name="security"/> setting, or if not + specified as a simple file server that is not connected to any domain.</para> + + <para>The alternatives are + <command moreinfo="none">server role = standalone</command> or <command moreinfo="none">server role = member server + </command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">server role = domain controller</command>, which run Samba as a Windows domain controller.</para> + + <para>You should use <command moreinfo="none">server role = standalone</command> and + <smbconfoption name="map to guest"/> if you + want to mainly setup shares without a password (guest shares). This + is commonly used for a shared printer server. </para> + + <para><anchor id="AUTO"/><emphasis>SERVER ROLE = AUTO</emphasis></para> + + <para>This is the default server role in Samba, and causes Samba to consult + the <smbconfoption name="security"/> parameter (if set) to determine the server role, giving compatible behaviours to previous Samba versions.</para> + + <para><anchor id="STANDALONE"/><emphasis>SERVER ROLE = STANDALONE</emphasis></para> + + <para>If <smbconfoption name="security"/> is also not specified, this is the default security setting in Samba. + In standalone operation, a client must first "log-on" with a + valid username and password (which can be mapped using the <smbconfoption name="username map"/> + parameter) stored on this machine. Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) are by default + used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption + name="guest only"/> if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated.</para> + + <para><anchor id="MEMBER SERVER"/><emphasis>SERVER ROLE = MEMBER SERVER</emphasis></para> + + <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> has been used to add this + machine into a Windows Domain. It expects the <smbconfoption name="encrypted passwords"/> + parameter to be set to <constant>yes</constant>. In this + mode Samba will try to validate the username/password by passing + it to a Windows or Samba Domain Controller, in exactly + the same way that a Windows Server would do.</para> + + <para><emphasis>Note</emphasis> that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to. Winbind can provide this.</para> + + <para><anchor id="PDC"/><emphasis>SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER</emphasis></para> + + <para>This mode of operation runs a classic Samba primary domain + controller, providing domain logon services to Windows and Samba + clients of an NT4-like domain. Clients must be joined to the domain to + create a secure, trusted path across the network. There must be + only one PDC per NetBIOS scope (typcially a broadcast network or + clients served by a single WINS server).</para> + + <para><anchor id="BDC"/><emphasis>SERVER ROLE = CLASSIC BACKUP DOMAIN CONTROLLER</emphasis></para> + + <para>This mode of operation runs a classic Samba backup domain + controller, providing domain logon services to Windows and Samba + clients of an NT4-like domain. As a BDC, this allows + multiple Samba servers to provide redundant logon services to a + single NetBIOS scope.</para> + + <para><anchor id="AD-DC"/><emphasis>SERVER ROLE = ACTIVE DIRECTORY DOMAIN CONTROLLER</emphasis></para> + + <para>This mode of operation runs Samba as an active directory + domain controller, providing domain logon services to Windows and + Samba clients of the domain. This role requires special + configuration, see the <ulink + url="http://wiki.samba.org/index.php/Samba4/HOWTO">Samba4 + HOWTO</ulink></para> + + <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA DOMAIN CONTROLLER</emphasis></para> + + <para>This mode of operation runs Samba in a hybrid mode for IPA + domain controller, providing forest trust to Active Directory. + This role requires special configuration performed by IPA installers + and should not be used manually by any administrator. + </para> +</description> + +<related>security</related> +<related>realm</related> +<related>encrypt passwords</related> + +<value type="default">AUTO</value> +<value type="example">ACTIVE DIRECTORY DOMAIN CONTROLLER</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml new file mode 100644 index 0000000..5c69f0f --- /dev/null +++ b/docs-xml/smbdotconf/security/serverschannel.xml @@ -0,0 +1,102 @@ +<samba:parameter name="server schannel" + context="G" + type="enum" + enumlist="enum_bool_auto" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para> + This option is deprecated and will be removed in future, + as it is a security problem if not set to "yes" (which will be + the hardcoded behavior in future). + </para> + + <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' instead! + </para> + + <para> + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' option + for the client. The message will indicate + the explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '<smbconfoption name="CVE_2020_1472:error_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para> + This allows admins to use "auto" only for a short grace period, + in order to collect the explicit + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' options. + </para> + + <para> + See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>, + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>. + </para> + + <para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para> + + <para>This option is over-ridden by the effective value of 'yes' from + the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' + and/or '<smbconfoption name="server schannel require seal"/>' options.</para> + +</description> + +<value type="default">yes</value> +</samba:parameter> + +<samba:parameter name="server require schannel:COMPUTERACCOUNT" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>If you still have legacy domain members, which required "server schannel = auto" before, + it is possible to specify explicit exception per computer account + by using 'server require schannel:COMPUTERACCOUNT = no' as option. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + </para> + + <para> + Samba will complain in the log files at log level 0, + about the security problem if the option is not set to "no", + but the related computer is actually using the netlogon + secure channel (schannel) feature. + (The log level can be adjusted with + '<smbconfoption name="CVE_2020_1472:warn_about_unused_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para> + Samba will warn in the log files at log level 5, + if a setting is still needed for the specified computer account. + </para> + + <para> + See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>, + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>. + </para> + + <para>This option overrides the <smbconfoption name="server schannel"/> option.</para> + + <para>This option is over-ridden by the effective value of 'yes' from + the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' + and/or '<smbconfoption name="server schannel require seal"/>' options.</para> + <para>Which means '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' + is only useful in combination with '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'</para> + + <programlisting> + server require schannel:LEGACYCOMPUTER1$ = no + server require schannel seal:LEGACYCOMPUTER1$ = no + server require schannel:NASBOX$ = no + server require schannel seal:NASBOX$ = no + server require schannel:LEGACYCOMPUTER2$ = no + server require schannel seal:LEGACYCOMPUTER2$ = no + </programlisting> +</description> + +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml new file mode 100644 index 0000000..0bec67d --- /dev/null +++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml @@ -0,0 +1,117 @@ +<samba:parameter name="server schannel require seal" + context="G" + type="boolean" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para> + This option is deprecated and will be removed in future, + as it is a security problem if not set to "yes" (which will be + the hardcoded behavior in future). + </para> + + <para> + This option controls whether the netlogon server, will reject the usage + of netlogon secure channel without privacy/enryption. + </para> + + <para> + The option is modelled after the registry key available on Windows. + </para> + + <programlisting> + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2 + </programlisting> + + <para> + <emphasis>Avoid using this option!</emphasis> Use the per computer account specific option + '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' instead! + Which is available with the patches for + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para> + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' option + for the client. The message will indicate + the explicit '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para>This allows admins to use "no" only for a short grace period, + in order to collect the explicit + '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' options.</para> + + <para> + When set to 'yes' this option overrides the + '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and + '<smbconfoption name="server schannel"/>' options and implies + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'. + </para> + + <para> + This option is over-ridden by the <smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/> option. + </para> + +</description> + +<value type="default">yes</value> +</samba:parameter> + +<samba:parameter name="server schannel require seal:COMPUTERACCOUNT" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para> + If you still have legacy domain members, which required "server schannel require seal = no" before, + it is possible to specify explicit exception per computer account + by using 'server schannel require seal:COMPUTERACCOUNT = no' as option. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + </para> + + <para> + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "no", + but the related computer does not require it. + (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para> + Samba will warn in the log files at log level 5, + if a setting is still needed for the specified computer account. + </para> + + <para> + See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>, + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para> + This option overrides the '<smbconfoption name="server schannel require seal"/>' option. + </para> + + <para> + When set to 'yes' this option overrides the + '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and + '<smbconfoption name="server schannel"/>' options and implies + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'. + </para> + + <programlisting> + server require schannel seal:LEGACYCOMPUTER1$ = no + server require schannel seal:NASBOX$ = no + server require schannel seal:LEGACYCOMPUTER2$ = no + </programlisting> +</description> + +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/serversigning.xml b/docs-xml/smbdotconf/security/serversigning.xml new file mode 100644 index 0000000..0b7755a --- /dev/null +++ b/docs-xml/smbdotconf/security/serversigning.xml @@ -0,0 +1,29 @@ +<samba:parameter name="server signing" + context="G" + type="enum" + enumlist="enum_smb_signing_vals" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>This controls whether the client is allowed or required to use SMB1 and SMB2 signing. Possible values + are <emphasis>default</emphasis>, <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> + and <emphasis>disabled</emphasis>. + </para> + + <para>By default, and when smb signing is set to + <emphasis>default</emphasis>, smb signing is required when + <smbconfoption name="server role"/> is <emphasis>active directory + domain controller</emphasis> and disabled otherwise.</para> + + <para>When set to auto, SMB1 signing is offered, but not enforced. + When set to mandatory, SMB1 signing is required and if set + to disabled, SMB signing is not offered either.</para> + + <para>For the SMB2 protocol, by design, signing cannot be disabled. In the case + where SMB2 is negotiated, if this parameter is set to <emphasis>disabled</emphasis>, + it will be treated as <emphasis>auto</emphasis>. Setting it to <emphasis>mandatory</emphasis> + will still require SMB2 clients to use signing.</para> +</description> + +<value type="default">default</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/serversmbencrypt.xml b/docs-xml/smbdotconf/security/serversmbencrypt.xml new file mode 100644 index 0000000..5f38b46 --- /dev/null +++ b/docs-xml/smbdotconf/security/serversmbencrypt.xml @@ -0,0 +1,241 @@ +<samba:parameter name="server smb encrypt" + context="S" + type="enum" + enumlist="enum_smb_encryption_vals" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter controls whether a remote client is allowed or required + to use SMB encryption. It has different effects depending on whether + the connection uses SMB1 or SMB2 and newer: + </para> + + <itemizedlist> + <listitem> + <para> + If the connection uses SMB1, then this option controls the use + of a Samba-specific extension to the SMB protocol introduced in + Samba 3.2 that makes use of the Unix extensions. + </para> + </listitem> + + <listitem> + <para> + If the connection uses SMB2 or newer, then this option controls + the use of the SMB-level encryption that is supported in SMB + version 3.0 and above and available in Windows 8 and newer. + </para> + </listitem> + </itemizedlist> + + <para> + This parameter can be set globally and on a per-share bases. + Possible values are + + <emphasis>off</emphasis>, + <emphasis>if_required</emphasis>, + <emphasis>desired</emphasis>, + and + <emphasis>required</emphasis>. + A special value is <emphasis>default</emphasis> which is + the implicit default setting of <emphasis>if_required</emphasis>. + </para> + + <variablelist> + <varlistentry> + <term><emphasis>Effects for SMB1</emphasis></term> + <listitem> + <para> + The Samba-specific encryption of SMB1 connections is an + extension to the SMB protocol negotiated as part of the UNIX + extensions. SMB encryption uses the GSSAPI (SSPI on Windows) + ability to encrypt and sign every request/response in a SMB + protocol stream. When enabled it provides a secure method of + SMB/CIFS communication, similar to an ssh protected session, but + using SMB/CIFS authentication to negotiate encryption and + signing keys. Currently this is only supported smbclient of by + Samba 3.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X + clients. Windows clients do not support this feature. + </para> + + <para>This may be set on a per-share + basis, but clients may chose to encrypt the entire session, not + just traffic to a specific share. If this is set to mandatory + then all traffic to a share <emphasis>must</emphasis> + be encrypted once the connection has been made to the share. + The server would return "access denied" to all non-encrypted + requests on such a share. Selecting encrypted traffic reduces + throughput as smaller packet sizes must be used (no huge UNIX + style read/writes allowed) as well as the overhead of encrypting + and signing all the data. + </para> + + <para> + If SMB encryption is selected, Windows style SMB signing (see + the <smbconfoption name="server signing"/> option) is no longer + necessary, as the GSSAPI flags use select both signing and + sealing of the data. + </para> + + <para> + When set to auto or default, SMB encryption is offered, but not + enforced. When set to mandatory, SMB encryption is required and + if set to disabled, SMB encryption can not be negotiated. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis>Effects for SMB2 and newer</emphasis></term> + <listitem> + <para> + Native SMB transport encryption is available in SMB version 3.0 + or newer. It is only offered by Samba if + <emphasis>server max protocol</emphasis> is set to + <emphasis>SMB3</emphasis> or newer. + Clients supporting this type of encryption include + Windows 8 and newer, + Windows server 2012 and newer, + and smbclient of Samba 4.1 and newer. + </para> + + <para> + The protocol implementation offers various options: + </para> + + <itemizedlist> + <listitem> + <para> + The capability to perform SMB encryption can be + negotiated during protocol negotiation. + </para> + </listitem> + + <listitem> + <para> + Data encryption can be enabled globally. In that case, + an encryption-capable connection will have all traffic + in all its sessions encrypted. In particular all share + connections will be encrypted. + </para> + </listitem> + + <listitem> + <para> + Data encryption can also be enabled per share if not + enabled globally. For an encryption-capable connection, + all connections to an encryption-enabled share will be + encrypted. + </para> + </listitem> + + <listitem> + <para> + Encryption can be enforced. This means that session + setups will be denied on non-encryption-capable + connections if data encryption has been enabled + globally. And tree connections will be denied for + non-encryption capable connections to shares with data + encryption enabled. + </para> + </listitem> + </itemizedlist> + + <para> + These features can be controlled with settings of + <emphasis>server smb encrypt</emphasis> as follows: + </para> + + <itemizedlist> + <listitem> + <para> + Leaving it as default, explicitly setting + <emphasis>default</emphasis>, or setting it to + <emphasis>if_required</emphasis> globally will enable + negotiation of encryption but will not turn on + data encryption globally or per share. + </para> + </listitem> + + <listitem> + <para> + Setting it to <emphasis>desired</emphasis> globally + will enable negotiation and will turn on data encryption + on sessions and share connections for those clients + that support it. + </para> + </listitem> + + <listitem> + <para> + Setting it to <emphasis>required</emphasis> globally + will enable negotiation and turn on data encryption + on sessions and share connections. Clients that do + not support encryption will be denied access to the + server. + </para> + </listitem> + + <listitem> + <para> + Setting it to <emphasis>off</emphasis> globally will + completely disable the encryption feature for all + connections. Setting <parameter>server smb encrypt = + required</parameter> for individual shares (while it's + globally off) will deny access to this shares for all + clients. + </para> + </listitem> + + <listitem> + <para> + Setting it to <emphasis>desired</emphasis> on a share + will turn on data encryption for this share for clients + that support encryption if negotiation has been + enabled globally. + </para> + </listitem> + + <listitem> + <para> + Setting it to <emphasis>required</emphasis> on a share + will enforce data encryption for this share if + negotiation has been enabled globally. I.e. clients that + do not support encryption will be denied access to the + share. + </para> + <para> + Note that this allows per-share enforcing to be + controlled in Samba differently from Windows: + In Windows, <emphasis>RejectUnencryptedAccess</emphasis> + is a global setting, and if it is set, all shares with + data encryption turned on + are automatically enforcing encryption. In order to + achieve the same effect in Samba, one + has to globally set <emphasis>server smb encrypt</emphasis> to + <emphasis>if_required</emphasis>, and then set all shares + that should be encrypted to + <emphasis>required</emphasis>. + Additionally, it is possible in Samba to have some + shares with encryption <emphasis>required</emphasis> + and some other shares with encryption only + <emphasis>desired</emphasis>, which is not possible in + Windows. + </para> + </listitem> + + <listitem> + <para> + Setting it to <emphasis>off</emphasis> or + <emphasis>if_required</emphasis> for a share has + no effect. + </para> + </listitem> + </itemizedlist> + </listitem> + </varlistentry> + </variablelist> +</description> + +<value type="default">default</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml b/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml new file mode 100644 index 0000000..2dd2db9 --- /dev/null +++ b/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml @@ -0,0 +1,21 @@ +<samba:parameter name="server smb3 encryption algorithms" + context="G" + type="list" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter specifies the availability and order of + encryption algorithms which are available for negotiation in the SMB3_11 dialect. + </para> + <para>It is also possible to remove individual algorithms from the default list, + by prefixing them with '-'. This can avoid having to specify a hardcoded list. + </para> + <para>Note: that the removal of AES-128-CCM from the list will result + in SMB3_00 and SMB3_02 being unavailable, as it is the default and only + available algorithm for these dialects. + </para> +</description> + +<value type="default">AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM</value> +<value type="example">AES-256-GCM</value> +<value type="example">-AES-128-GCM -AES-128-CCM</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/serversmbsigningalgos.xml b/docs-xml/smbdotconf/security/serversmbsigningalgos.xml new file mode 100644 index 0000000..7884e60 --- /dev/null +++ b/docs-xml/smbdotconf/security/serversmbsigningalgos.xml @@ -0,0 +1,22 @@ +<samba:parameter name="server smb3 signing algorithms" + context="G" + type="list" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter specifies the availability and order of + signing algorithms which are available for negotiation in the SMB3_11 dialect. + </para> + <para>It is also possible to remove individual algorithms from the default list, + by prefixing them with '-'. This can avoid having to specify a hardcoded list. + </para> + <para>Note: that the removal of AES-128-CMAC from the list will result + in SMB3_00 and SMB3_02 being unavailable, and the removal of HMAC-SHA256 + will result in SMB2_02 and SMB2_10 being unavailable, as these are the default and only + available algorithms for these dialects. + </para> +</description> + +<value type="default">AES-128-GMAC, AES-128-CMAC, HMAC-SHA256</value> +<value type="example">AES-128-CMAC, HMAC-SHA256</value> +<value type="example">-AES-128-CMAC</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml new file mode 100644 index 0000000..6027120 --- /dev/null +++ b/docs-xml/smbdotconf/security/smbencrypt.xml @@ -0,0 +1,15 @@ +<samba:parameter name="smb encrypt" + context="S" + type="enum" + enumlist="enum_smb_encryption_vals" + function="server_smb_encrypt" + synonym="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This is a synonym for <smbconfoption name="server smb encrypt"/>. + </para> +</description> + +<value type="default">default</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/smbpasswdfile.xml b/docs-xml/smbdotconf/security/smbpasswdfile.xml new file mode 100644 index 0000000..fab7037 --- /dev/null +++ b/docs-xml/smbdotconf/security/smbpasswdfile.xml @@ -0,0 +1,18 @@ +<samba:parameter name="smb passwd file" + type="string" + context="G" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This option sets the path to the encrypted smbpasswd file. By + default the path to the smbpasswd file is compiled into Samba.</para> + + <para> + An example of use is: +<programlisting> +smb passwd file = /etc/samba/smbpasswd +</programlisting> + </para> +</description> + +<value type="default">&pathconfig.SMB_PASSWD_FILE;</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/tlscafile.xml b/docs-xml/smbdotconf/security/tlscafile.xml new file mode 100644 index 0000000..bcbac62 --- /dev/null +++ b/docs-xml/smbdotconf/security/tlscafile.xml @@ -0,0 +1,20 @@ +<samba:parameter name="tls cafile" + type="string" + context="G" + function="_tls_cafile" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + <description> + <para>This option can be set to a file (PEM format) + containing CA certificates of root CAs to trust to sign + certificates or intermediate CA certificates.</para> + <para>This path is relative to <smbconfoption name="private dir"/> if the path + does not start with a /.</para> + </description> + + <related>tls certfile</related> + <related>tls crlfile</related> + <related>tls dh params file</related> + <related>tls enabled</related> + <related>tls keyfile</related> + <value type="default">tls/ca.pem</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/tlscertfile.xml b/docs-xml/smbdotconf/security/tlscertfile.xml new file mode 100644 index 0000000..cf70954 --- /dev/null +++ b/docs-xml/smbdotconf/security/tlscertfile.xml @@ -0,0 +1,19 @@ +<samba:parameter name="tls certfile" + type="string" + context="G" + function="_tls_certfile" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + <description> + <para>This option can be set to a file (PEM format) + containing the RSA certificate. </para> + <para>This path is relative to <smbconfoption name="private dir"/> if the path + does not start with a /.</para> +</description> + + <related>tls keyfile</related> + <related>tls crlfile</related> + <related>tls dh params file</related> + <related>tls enabled</related> + <related>tls cafile</related> + <value type="default">tls/cert.pem</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/tlscrlfile.xml b/docs-xml/smbdotconf/security/tlscrlfile.xml new file mode 100644 index 0000000..1f42b85 --- /dev/null +++ b/docs-xml/smbdotconf/security/tlscrlfile.xml @@ -0,0 +1,19 @@ +<samba:parameter name="tls crlfile" + type="string" + context="G" + function="_tls_crlfile" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + <description> + <para>This option can be set to a file containing a certificate + revocation list (CRL).</para> + <para>This path is relative to <smbconfoption name="private dir"/> if the path + does not start with a /.</para> +</description> + + <related>tls certfile</related> + <related>tls crlfile</related> + <related>tls dh params file</related> + <related>tls enabled</related> + <related>tls cafile</related> + <value type="default"></value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/tlsdhparamsfile.xml b/docs-xml/smbdotconf/security/tlsdhparamsfile.xml new file mode 100644 index 0000000..5bf59aa --- /dev/null +++ b/docs-xml/smbdotconf/security/tlsdhparamsfile.xml @@ -0,0 +1,20 @@ +<samba:parameter name="tls dh params file" + type="string" + context="G" + function="_tls_dhpfile" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + <description> + <para>This option can be set to a file with Diffie-Hellman parameters + which will be used with DH ciphers. + </para> + <para>This path is relative to <smbconfoption name="private dir"/> if the path + does not start with a /.</para> +</description> + + <related>tls certfile</related> + <related>tls crlfile</related> + <related>tls cafile</related> + <related>tls enabled</related> + <related>tls keyfile</related> + <value type="default"></value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/tlsenabled.xml b/docs-xml/smbdotconf/security/tlsenabled.xml new file mode 100644 index 0000000..411b928 --- /dev/null +++ b/docs-xml/smbdotconf/security/tlsenabled.xml @@ -0,0 +1,10 @@ +<samba:parameter name="tls enabled" + type="boolean" + context="G" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + <description> + <para>If this option is set to <constant>yes</constant>, then Samba + will use TLS when possible in communication.</para> + </description> + <value type="default">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/tlskeyfile.xml b/docs-xml/smbdotconf/security/tlskeyfile.xml new file mode 100644 index 0000000..9caa824 --- /dev/null +++ b/docs-xml/smbdotconf/security/tlskeyfile.xml @@ -0,0 +1,20 @@ +<samba:parameter name="tls keyfile" + type="string" + context="G" + function="_tls_keyfile" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + <description> + <para>This option can be set to a file (PEM format) + containing the RSA private key. This file must be accessible without + a pass-phrase, i.e. it must not be encrypted.</para> + <para>This path is relative to <smbconfoption name="private dir"/> if the path + does not start with a /.</para> + </description> + + <related>tls certfile</related> + <related>tls crlfile</related> + <related>tls dh params file</related> + <related>tls enabled</related> + <related>tls cafile</related> + <value type="default">tls/key.pem</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/tlspriority.xml b/docs-xml/smbdotconf/security/tlspriority.xml new file mode 100644 index 0000000..471dc25 --- /dev/null +++ b/docs-xml/smbdotconf/security/tlspriority.xml @@ -0,0 +1,19 @@ +<samba:parameter name="tls priority" + type="string" + context="G" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + <description> + <para>This option can be set to a string describing the TLS protocols + to be supported in the parts of Samba that use GnuTLS, specifically + the AD DC. + </para> + <para>The string is appended to the default priority list of GnuTLS.</para> + <para>The valid options are described in the + <ulink url="http://gnutls.org/manual/html_node/Priority-Strings.html">GNUTLS + Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html</ulink> + </para> + <para>The SSL3.0 protocol will be disabled.</para> + </description> + + <value type="default">NORMAL:-VERS-SSL3.0</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/tlsverifypeer.xml b/docs-xml/smbdotconf/security/tlsverifypeer.xml new file mode 100644 index 0000000..4f47dd4 --- /dev/null +++ b/docs-xml/smbdotconf/security/tlsverifypeer.xml @@ -0,0 +1,47 @@ +<samba:parameter name="tls verify peer" + context="G" + type="enum" + enumlist="enum_tls_verify_peer_vals" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This controls if and how strict the client will verify the peer's certificate and name. + Possible values are (in increasing order): + <constant>no_check</constant>, + <constant>ca_only</constant>, + <constant>ca_and_name_if_available</constant>, + <constant>ca_and_name</constant> + and + <constant>as_strict_as_possible</constant>.</para> + + <para>When set to <constant>no_check</constant> the certificate is not verified at + all, which allows trivial man in the middle attacks. + </para> + + <para>When set to <constant>ca_only</constant> the certificate is verified to + be signed from a ca specified in the <smbconfoption name="tls ca file"/> option. + Setting <smbconfoption name="tls ca file"/> to a valid file is required. + The certificate lifetime is also verified. If the <smbconfoption name="tls crl file"/> + option is configured, the certificate is also verified against the ca crl. + </para> + + <para>When set to <constant>ca_and_name_if_available</constant> all checks from + <constant>ca_only</constant> are performed. In addition, the peer hostname is verified + against the certificate's name, if it is provided by the application layer and + not given as an ip address string. + </para> + + <para>When set to <constant>ca_and_name</constant> all checks from + <constant>ca_and_name_if_available</constant> are performed. + In addition the peer hostname needs to be provided and even an ip + address is checked against the certificate's name. + </para> + + <para>When set to <constant>as_strict_as_possible</constant> all checks from + <constant>ca_and_name</constant> are performed. In addition the + <smbconfoption name="tls crl file"/> needs to be configured. + Future versions of Samba may implement additional checks. + </para> +</description> + +<value type="default">as_strict_as_possible</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/unixpasswordsync.xml b/docs-xml/smbdotconf/security/unixpasswordsync.xml new file mode 100644 index 0000000..89b0158 --- /dev/null +++ b/docs-xml/smbdotconf/security/unixpasswordsync.xml @@ -0,0 +1,26 @@ +<samba:parameter name="unix password sync" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This boolean parameter controls whether Samba + attempts to synchronize the UNIX password with the SMB password + when the encrypted SMB password in the smbpasswd file is changed. + If this is set to <constant>yes</constant> the program specified in the <parameter moreinfo="none">passwd + program</parameter> parameter is called <emphasis>AS ROOT</emphasis> - + to allow the new UNIX password to be set without access to the + old UNIX password (as the SMB password change code has no + access to the old password cleartext, only the new).</para> + + <para>This option has no effect if <command moreinfo="none">samba</command> + is running as an active directory domain controller, in that case have a + look at the <smbconfoption name="password hash gpg key ids"/> option and the + <command moreinfo="none">samba-tool user syncpasswords</command> command.</para> +</description> + +<related>passwd program</related> +<related>passwd chat</related> +<related>password hash gpg key ids</related> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/usernamelevel.xml b/docs-xml/smbdotconf/security/usernamelevel.xml new file mode 100644 index 0000000..f5248c0 --- /dev/null +++ b/docs-xml/smbdotconf/security/usernamelevel.xml @@ -0,0 +1,26 @@ +<samba:parameter name="username level" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This option helps Samba to try and 'guess' at + the real UNIX username, as many DOS clients send an all-uppercase + username. By default Samba tries all lowercase, followed by the + username with the first letter capitalized, and fails if the + username is not found on the UNIX machine.</para> + + <para>If this parameter is set to non-zero the behavior changes. + This parameter is a number that specifies the number of uppercase + combinations to try while trying to determine the UNIX user name. The + higher the number the more combinations will be tried, but the slower + the discovery of usernames will be. Use this parameter when you have + strange usernames on your UNIX machine, such as <constant>AstrangeUser + </constant>.</para> + + <para>This parameter is needed only on UNIX systems that have case + sensitive usernames.</para> +</description> + +<value type="default">0</value> +<value type="example">5</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/usernamemap.xml b/docs-xml/smbdotconf/security/usernamemap.xml new file mode 100644 index 0000000..809a54c --- /dev/null +++ b/docs-xml/smbdotconf/security/usernamemap.xml @@ -0,0 +1,130 @@ +<samba:parameter name="username map" + context="G" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This option allows you to specify a file containing a mapping of usernames from the clients to the server. + This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows + machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they + can more easily share files. + </para> + + <para> + Please note that for user mode security, the username map is applied prior to validating the user + credentials. Domain member servers (domain or ads) apply the username map after the user has been + successfully authenticated by the domain controller and require fully qualified entries in the map table (e.g. + biddle = <literal>DOMAIN\foo</literal>). + </para> + + <para> + The map file is parsed line by line. Each line should contain a single UNIX username on the left then a '=' + followed by a list of usernames on the right. The list of usernames on the right may contain names of the form + @group in which case they will match any UNIX username in that group. The special client name '*' is a + wildcard and matches any name. Each line of the map file may be up to 1023 characters long. + </para> + + <para> + The file is processed on each line by taking the supplied username and comparing it with each username on the + right hand side of the '=' signs. If the supplied name matches any of the names on the right hand side then it + is replaced with the name on the left. Processing then continues with the next line. + </para> + + <para> + If any line begins with a '#' or a ';' then it is ignored. + </para> + + <para> + If any line begins with an '!' then the processing will stop after that line if a mapping was done by the + line. Otherwise mapping continues with every line being processed. Using '!' is most useful when you have a + wildcard mapping line later in the file. + </para> + + <para> + For example to map from the name <constant>admin</constant> or <constant>administrator</constant> to the UNIX + name <constant> root</constant> you would use: +<programlisting> +<command moreinfo="none">root = admin administrator</command> +</programlisting> + Or to map anyone in the UNIX group <constant>system</constant> to the UNIX name <constant>sys</constant> you would use: +<programlisting> +<command moreinfo="none">sys = @system</command> +</programlisting> + </para> + + <para> + You can have as many mappings as you like in a username map file. + </para> + + + <para> + If your system supports the NIS NETGROUP option then the netgroup database is checked before the <filename + moreinfo="none">/etc/group </filename> database for matching groups. + </para> + + <para> + You can map Windows usernames that have spaces in them by using double quotes around the name. For example: +<programlisting> +<command moreinfo="none">tridge = "Andrew Tridgell"</command> +</programlisting> + would map the windows username "Andrew Tridgell" to the unix username "tridge". + </para> + + <para> + The following example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on that line: +<programlisting format="linespecific"> +!sys = mary fred +guest = * +</programlisting> + </para> + + <para> + Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and + <constant>fred</constant> is remapped to <constant>mary</constant> then you will actually be connecting to + \\server\mary and will need to supply a password suitable for <constant>mary</constant> not + <constant>fred</constant>. The only exception to this is the + username passed to a Domain Controller (if you have one). The DC will receive whatever username the client + supplies without modification. + </para> + + <para> + Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been + mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print + job. + </para> + + <para> + Samba versions prior to 3.0.8 would only support reading the fully qualified username + (e.g.: <literal>DOMAIN\user</literal>) from + the username map when performing a kerberos login from a client. However, when looking up a map entry for a + user authenticated by NTLM[SSP], only the login name would be used for matches. This resulted in inconsistent + behavior sometimes even on the same server. + </para> + + <para> + The following functionality is obeyed in version 3.0.8 and later: + </para> + + <para> + When performing local authentication, the username map is applied to the login name before attempting to authenticate + the connection. + </para> + + <para> + When relying upon a external domain controller for validating authentication requests, smbd will apply the username map + to the fully qualified username (i.e. <literal>DOMAIN\user</literal>) only after the user has been successfully authenticated. + </para> + + <para> + An example of use is: +<programlisting> +username map = /usr/local/samba/lib/users.map +</programlisting> + </para> + +</description> + +<value type="default"><comment>no username map</comment></value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/usernamemapcachetime.xml b/docs-xml/smbdotconf/security/usernamemapcachetime.xml new file mode 100644 index 0000000..974026c --- /dev/null +++ b/docs-xml/smbdotconf/security/usernamemapcachetime.xml @@ -0,0 +1,26 @@ +<samba:parameter name="username map cache time" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + Mapping usernames with the <smbconfoption name="username map"/> + or <smbconfoption name="username map script"/> + features of Samba can be relatively expensive. + During login of a user, the mapping is done several times. + In particular, calling the <smbconfoption name="username map script"/> + can slow down logins if external databases have to be queried from + the script being called. + </para> + + <para> + The parameter <smbconfoption name="username map cache time"/> + controls a mapping cache. It specifies the number of seconds a + mapping from the username map file or script is to be efficiently cached. + The default of 0 means no caching is done. + </para> +</description> + +<value type="default">0</value> +<value type="example">60</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/usernamemapscript.xml b/docs-xml/smbdotconf/security/usernamemapscript.xml new file mode 100644 index 0000000..7123c53 --- /dev/null +++ b/docs-xml/smbdotconf/security/usernamemapscript.xml @@ -0,0 +1,19 @@ +<samba:parameter name="username map script" + context="G" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This script is a mutually exclusive alternative to the + <smbconfoption name="username map"/> parameter. This parameter + specifies an external program or script that must accept a single + command line option (the username transmitted in the authentication + request) and return a line on standard output (the name to which + the account should mapped). In this way, it is possible to store + username map tables in an LDAP directory services. + </para> +</description> + +<value type="default"/> +<value type="example">/etc/samba/scripts/mapusers.sh</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/validusers.xml b/docs-xml/smbdotconf/security/validusers.xml new file mode 100644 index 0000000..0b681a1 --- /dev/null +++ b/docs-xml/smbdotconf/security/validusers.xml @@ -0,0 +1,38 @@ +<samba:parameter name="valid users" + context="S" + type="cmdlist" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This is a list of users that should be allowed to login to this service. Names starting with + '@', '+' and '&' are interpreted using the same rules as described in the + <parameter moreinfo="none">invalid users</parameter> parameter. + </para> + + <para> + If this is empty (the default) then any user can login. If a username is in both this list + and the <parameter moreinfo="none">invalid users</parameter> list then access is denied + for that user. + </para> + + <para> + The current servicename is substituted for <parameter moreinfo="none">%S</parameter>. + This is useful in the [homes] section. + </para> + + <para><emphasis>Note: </emphasis>When used in the [global] section this + parameter may have unwanted side effects. For example: If samba is configured as a MASTER BROWSER (see + <parameter moreinfo="none">local master</parameter>, + <parameter moreinfo="none">os level</parameter>, + <parameter moreinfo="none">domain master</parameter>, + <parameter moreinfo="none">preferred master</parameter>) this option + will prevent workstations from being able to browse the network. + </para> + +</description> + +<related>invalid users</related> + +<value type="default"><comment>No valid users list (anyone can login) </comment></value> +<value type="example">greg, @pcusers</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/writeable.xml b/docs-xml/smbdotconf/security/writeable.xml new file mode 100644 index 0000000..5433849 --- /dev/null +++ b/docs-xml/smbdotconf/security/writeable.xml @@ -0,0 +1,14 @@ +<samba:parameter name="writeable" + context="S" + type="boolean-rev" + function="read_only" + synonym="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<synonym>writable</synonym> +<synonym>write ok</synonym> +<description> + <para>Inverted synonym for <smbconfoption name="read only"/>.</para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/writelist.xml b/docs-xml/smbdotconf/security/writelist.xml new file mode 100644 index 0000000..a9b9e8b --- /dev/null +++ b/docs-xml/smbdotconf/security/writelist.xml @@ -0,0 +1,24 @@ +<samba:parameter name="write list" + context="S" + type="cmdlist" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This is a list of users that are given read-write access to a service. If the + connecting user is in this list then they will be given write access, no matter + what the <smbconfoption name="read only"/> option is set to. The list can + include group names using the @group syntax. + </para> + + <para> + Note that if a user is in both the read list and the write list then they will be + given write access. + </para> + +</description> + +<related>read list</related> + +<value type="default"></value> +<value type="example">admin, root, @staff</value> +</samba:parameter> |